What’s your Plan for when you’re Hacked?
What’s your plan on how to handle a security breach? How will you react when you’re hacked? Yes, that’s a “when” and not an “if”. Eventually it will happen. You’d better be prepared. If you ask a...
View ArticleAll .NET Identities now Derive From ClaimsIdentity
With .NET 4.5 a new base class for identities was introduced: the ClaimsIdentity class. The reason is that Windows Identity Foundation has been fully incorporated into the .NET framework and it has...
View ArticleAn Open Source ASP.NET SAML2 Service Provider
I’m happy to announce an open source ASP.NET SAML2 Service Provider. SAML2 is a common standard for single sign on in enterprise environments. A Service Provider in SAML2 is a web site that allows log...
View ArticleKentor.AuthServices 0.4.0 SAML2 for ASP.NET Released
Version 0.4.0 of the Kentor.AuthServices SAML2 package for ASP.NET is now released. The release contains an important security fix and some other improvements. Contents Improved verification of XML...
View ArticleASP.NET Identity and Owin Overview
ASP.NET Identity is the reworked, flexible replacement for the old membership system that has been around since ASP.NET 2.0. ASP.NET Identity is more well designed and flexible than the old membership...
View ArticleNDC 2014 Highlights
Last week, I was in beautiful Oslo in Norway most of the week for NDC 2014. It was a great conference and I’d like to point out a few highlights. For the first time, I was a speaker at a major...
View ArticleUnderstanding the Owin External Authentication Pipeline
Owin makes it easy to inject new middleware into the processing pipeline. This can be leveraged to inject breakpoints in the pipeline, to inspect the state of the Owin context during authentication....
View ArticleWriting an Owin Authentication Middleware
Owin and Katana offers a flexible pipeline for external authentication with existing providers for authentication by Google, Facebook, Twitter and more. It is also possible to write your own custom...
View ArticleKentor.AuthServices SAML2 Owin Middleware Released
I just pushed the first version of our Owin SAML2 middleware to nuget and github as part of Kentor.AuthServices 0.5.2. Kentor.AuthServices is a SAML2 Service Provider implementation for ASP.NET,...
View ArticleKentor.AuthServices 0.7.2 SAML2 for ASP.NET Released
Last week we released version 0.7.2 of the Kentor.AuthServices SAML2 Service Provider for ASP.NET. With this release and the 0.6.0 the week before (that I never blogged about) we’ve introduced some new...
View ArticleKentor.AuthServices 0.8.0 SAML2 for ASP.NET Released
We continue to improve the Kentor.AuthServices SAML2 Service Provider for ASP.NET with the release of version 0.8.0. With this release the entire configuration system has been rebuilt, to enable...
View ArticleKentor.AuthServices 0.9.0 SAML2 for ASP.NET Released
The Kentor.AuthServices SAML2 Service Provider has got one important improvement for simplified operations: automatic metadata refresh. Identity providers and federations configured by loading metadata...
View ArticleUsing Owin External Login without ASP.NET Identity
ASP.NET MVC5 has excellent support for external social login providers (Google, Facebook, Twitter) integrating with the ASP.NET Identity system. But what if we want to use external logins directly...
View ArticleCatching the System.Web/Owin Cookie Monster
Cookies set through the Owin API sometimes mysteriously disappear. The problem is that deep within System.Web, there has been a cookie monster sleeping since the dawn of time (well, at least since .NET...
View ArticleSAML2 for Thinktecture IdentityServer 3 with Kentor.AuthServices
Using the Kentor.AuthServices SAML2 Service Provider with Thinktecture IdentityServer 3 bridges the gap between SAML2 and OAuth2/OpenID Connect. Thinktecture IdentityServer 3 support clients using the...
View ArticleSecure Account Activation with ASP.NET Identity
Distribution of credentials to new users of a system is often done in an insecure way, with passwords being sent over unsecure e-mail. With ASP.NET Identity, the password recovery functionality can be...
View ArticleAn Always Valid XML Signature
XML Signatures are powerful, but also a bit tricky to get right. Here’s a challenge: I have a signature that will validate, even though the contents of the XML document are altered. This is the “magic”...
View ArticleXML Signatures and References
Last week I showed a peculiar XML Signature that validates even though the containing document was changed. The reason is that the signature lacks References. Before explaining what’s wrong with the...
View ArticleVulnerability in .NET SignedXml
.NET’s SignedXML class has had a risky implementation for lookup of XML elements by id in GetIdElement() when resolving signed xml references. The lookup validated only the first element if there are...
View ArticleBreaking Changes to SignedXml in MS16-035
Earlier this month, Microsoft released MS16-035 that addresses issues I previously reported in SignedXml. They did not only fix the duplicate Id vulnerability I reported though, they also fixed a...
View Article
More Pages to Explore .....