About

I work as an associate consultant for the Germany-based company thinktecture (http://www.thinktecture.com). My main area of focus is security in general and identity & access control in particular. I help customers around the world implementing claims-based identity, single sign-on, authorization and federation in their web applications, services and APIs. I am also an international conference speaker and the author of “Developing more-secure ASP.NET Application” and co-author of the Microsoft Patterns & Practices “Guide to Claims-based Identity and Access Control”.

55 Responses to About

  1. José luis says:
    September 25, 2012 at 17:52

    Hello dominick
    I have read your course on pluralsight about identity and access control in 4.5 and I would like to know why you haven’t talk anything about simplemembership or universalmembership

    Also please could you recommend me a reading or code project to learn indentityclsims with universal o simplemembership

    Reply
  2. Matthew Belk says:
    October 4, 2012 at 23:15

    Dominick,

    Is the demo code from your PluralSight course available as part of the upgraded subscription? It doesn’t appear to be in the IdentityModel45 source code from GitHub, unless I’m not looking in the right place.

    The course was very instructive, but I would like to be able to refer back to the code.

    Thanks.

    Reply
    • Dominick Baier says:
      October 5, 2012 at 07:37

      thanks!

      You can get the code from PluralSight.

      Reply
      • Matthew Belk says:
        October 8, 2012 at 21:05

        Got the code; thanks. I’m having trouble reconciling that sample with the IdentityModel samples in that I would like to be able to have FormsAuth coexist with BasicAuth using the IdentityModel paradigm with ClaimsTransformation so that I can have a “normal” MVC app with jQuery, knockout, etc. client views targetting a WebAPI while at the same time allowing mobile apps (of all stripes, iOS, Android, etc) access to the same WebAPI via Basic Auth (or some other more appropriate scheme).

        Thanks,
        Matthew

      • Matthew Belk says:
        October 8, 2012 at 22:24

        I should add that I’d like to leverage the SessionAuthenticationModule functionality like in the PluralSight demo code as well as the “AuthenticationHandler” and “ClaimsTransformationHandler” from the IdentityModel samples.

        Thanks,
        Matthew

      • Dominick Baier says:
        October 9, 2012 at 11:55

        Yeah – will try to get a sample up and running.

  3. Macropus says:
    October 8, 2012 at 03:31

    Hi Dom,

    Does your thinktecture library run on MonoTouch? I would like to implement ADFS Claims on iOS.

    Thanks,
    James

    Reply
  4. Dominick Baier says:
    October 9, 2012 at 11:54

    @matthew: that should work ;)

    If i have time I will throw a sample together for that scenario. Right now I am too busy.

    Reply
    • Matthew Belk says:
      October 9, 2012 at 15:34

      That would be great, thanks. I’m sure I’m not the only person trying to reconcile these two concepts. Would you recommend using the ClaimsAuthenticationManager property of the AuthenticationConfiguration or just nesting the ClaimsTransformationHandler inside the AuthenticationHandler? I would think that nesting the handlers would seem to be “more correct,” since it would appear to make for a more composable solution.

      -M

      Reply
  5. Brooks says:
    October 9, 2012 at 23:59

    Hello Dominick. I apologize in advance for the long post. I was unsure of how else to send this to you. Anyway…

    ASP.NET MVC 4/Web API Single Page App for Mobile Devices … Needs Authentication

    We have developed an ASP.NET MVC 4/Web API single page, mobile website (also using jQuery Mobile) that is intended to be accessed only from mobile devices (e.g., iPads, iPhones, Android tables and phones, etc.), not desktop browsers. This mobile website will be hosted internally, like an intranet site. However, since we’re accessing it from mobile devices, we can’t use Windows authentication. We still need to know which user (and their role) is logging in to the mobile website app.

    We tried simply using ASP.NET’s forms authentication and membership provider, but couldn’t get it working exactly the way we wanted. What we need is for the user to be prompted for a user name and password only on the first time they access the site on their mobile device. After they enter a correct user name and password and have been authenticated once, each subsequent time they access the site they should just go right in. They shouldn’t have to re-enter their credentials (i.e., something needs to be saved locally to each device to identify the user after the first time).

    This is where we had troubles. Everything worked as expected the first time. That is, the user was prompted to enter a user name and password, and, after doing that, was authenticated and allowed into the site. The problem is every time after the browser was closed on the mobile device, the device and user were not know and the user had to re-enter user name and password.

    We tried lots of things too. We tried setting persistent cookies in JavaScript. No good. The cookies weren’t there to be read the second time. We tried manually setting persistent cookies from ASP.NET. No good. We, of course, used FormsAuthentication.SetAuthCookie(model.UserName, true); as part of the form authentication framework. No good. We tried using HTML5 local storage. No good. No matter what we tried, if the user was on a mobile device, they would have to log in every single time. (Note: we’ve tried on an iPad and iPhone running both iOS 5.1 and 6.0, with Safari configure to allow cookies, and we’ve tried on Android 2.3.4.)

    Is there some trick to getting a scenario like this working?
    Or, do we have to write some sort of custom authentication mechanism? If so, how? And, what?
    Or, should we use something like claims-based authentication and WIF?
    Or???

    Any help is appreciated.
    Thanks!
    Brooks

    Reply
  6. gmetzker says:
    October 21, 2012 at 22:51

    Hi Dominick. I’ve been reading all your post and just watched your PluralSight video. All very interesting & informative, so thank you.

    My organization is building a new site with MVC & Web API, so I’ve been researching solutions to authentication/authorization, account storage, WIF, token protocols etc… Your IdentityServer seems like it would provide some solutions out of the box, but I’m curious if you have played around with Windows Azure Active Directory preview? It appears it would provide all the standard account storage like: users, roles, etc… but also provide authentication and STS.

    I would enjoy a post on this from your perspective. I think you would offer some good insight.

    Thanks much!

    Reply
    • Dominick Baier says:
      October 22, 2012 at 08:20

      I have played with WAAD. But it is CTP currently with no announced RTM date.

      I think WAAD is a compelling solution but we don’t know the final feature set yet. Also – but that may be a european thing – most of my customers don’t like the idea that their business accounts are in the cloud…

      Reply
  7. Poul Sørensen says:
    November 3, 2012 at 05:40

    Hello – been reading alot of your posts the past days – but i started running my head against the wall with an error i havent been able to solve.

    I have been running MVC4 on .Net 4.0 with no issues and decided that i wanted to upgrade to 4.5. By prior solution(wif.swt from nuget) do not work with this and therefore i have been trying to come up with a solution from reading your posts.

    I am trying to setup Azure ACS as issuer and have configured my config file like this:

    But i only get an exception that the issuer is invalid. From within your lib:
    // check issuer name registry for allowed issuers
    string issuerName = null;
    if (base.Configuration.IssuerNameRegistry != null)
    {
    issuerName = base.Configuration.IssuerNameRegistry.GetIssuerName(token);
    if (string.IsNullOrEmpty(issuerName))
    {
    throw new SecurityTokenValidationException(“Invalid issuer “);
    }
    }

    I downloaded the code and tryed to debug, and i found that that token is correct. and the issuer of the token is https://s-innovations.accesscontrol.windows.net/. I dont know how GetIssuerName() works or what im missing to get it to work.

    I have been looking over all your samples and didnt find a solution.

    Reply
    • Dominick Baier says:
      November 3, 2012 at 18:55

      I wouldn’t use SWT at all. Simply use SAML and add the signing cert thumbprint to the issuer name registry.

      Reply
      • Poul Sørensen says:
        November 3, 2012 at 19:21

        Okay. The reason i used SWT is because im authenticating my Windows 8 Store App. It seemed like the easiest solution. To authenticate a windows 8 app with the webbroker i needed to make the ACS return to a post controller on my site which redirect it back to the windows 8 app.

        (and the reason why i want a swt token for my windows 8 app is that I need to authenticate it when calling my WebApi).

        Do you know anything about this? Would it be better to use SAML2 and then transform it to a swt for my windows 8 app when thats needed and then make my webapi be authenticated by SWT ? (I could not get SAML2 working for windows 8 app because the token was to long to send over querystring).

  8. Poul Sørensen says:
    November 4, 2012 at 05:01

    It might be that im building ontop of a bad solution i have from when i used WIF in 4.0 – have you done any samples with a Windows 8 App as client? The experience i had when i used it last was using Azure ACS and the build in api AuthenticationBroker that sents a request to ACS and because it cant receive the the post coming back from ACS we need to tell it to post it to a controller on the web backend (WebApi).

    public HttpResponseMessage Post()
    {

    var response = this.Request.CreateResponse(HttpStatusCode.Redirect);

    response.Headers.Add(“Location”, “/api/federation/end?acsToken=” +
    ((ClaimsIdentity)((ClaimsPrincipal)HttpContext.Current.User).Identity).BootstrapToken;
    return response;
    }

    (Also, BootstrapTokenhave been replaced with a BootstrapContext – i havent started looking into the differences of that).

    Reply
  9. Louis Hansen says:
    November 20, 2012 at 16:20

    Hello Dominick,

    Can you recommend any samples on how to have multiple clients communicate with the same STS through different endpoints, either using the IdentityServer or through a Custom STS?
    I’m trying to get multiple clients to connect to a WCF service that needs to be secured, but the clients are coming both through SOAP (Windows app, AD credentials) and through REST (web site, JSON requests, forms authentication), and I can’t seem to get things to communicate well together.

    Reply
    • Dominick Baier says:
      November 23, 2012 at 18:40

      Could you explain a little more?

      IdentityServer supports multiple protocols/endpoints that would be suitable for SOAP and REST services….

      Reply
      • Louis Hansen says:
        November 27, 2012 at 18:30

        I have the following scenario.
        I want to create a business layer that will serve two presentation layers, a Windows application and a Web application.
        The business layer will be a WCF service that needs to offer it’s methods to both windows and web.
        The windows application will want to use SOAP to be able to create a proxy and simplify development as much as possible, where as the web site will want to use REST in order to support JSON.
        My problem is then that I want my WCF service to have these two endpoints, which I can do, but I also want to setup an STS that can authenticate both presentation layers.
        I know this means that the STS will need one endpoint for the SOAP and one for the JSON/REST, but I have simply been unable to find any good example of how to set this up.

  10. William Bosacker says:
    November 21, 2012 at 19:17

    Hey Dominick,

    I liked your “Securing ASP.NET Web APIs” video (https://vimeo.com/43603474) and was trying to get the code files that you were working with, but it appears that the http://goo.gl/00OC2 link is not working. Is there a different link that we can use to get the code presented in the video?

    Thanks…

    Reply
  11. Oscar says:
    November 22, 2012 at 00:24

    Hello Dominick,
    I’m using WCF Data Services. For authorization purposes I need to pass the token from the client application (an MVC 3 website with Claims) to the service.
    You posted exactly the solution I need here:
    http://leastprivilege.com/2010/05/05/thinktecture-identitymodel-wif-support-for-wcf-rest-services-and-odata/
    But I can’t find that sample code in github or in the current source code. Maybe it’s deprecated?
    Any help you can provide is greatly appreciated.
    Thanks.

    Reply
  12. Dominick Baier says:
    November 27, 2012 at 18:37

    @Louis:

    In IdSrv terms – the SOAP endpoint is the WS-Trust endpoint. The JSON/REST endpoint is OAuth2.

    Reply
  13. Matt says:
    November 29, 2012 at 01:44

    Dominick, Hi I’ve been watching your Pluralsight videos and reading your book “A Guide to Claims-Based Identity and Access Control”. All great content. At my job right now they have rolled their own STS because they have to support both AD and AD LDS (light-weight directory services). It is an older STS and has been used only with active clients in the past. Now I am tasked with building a web app that requires a passive endpoint which currently does not exist. I don’t think this custom STS is fully WIF enabled, for instance it doesn’t even expose a federated metadata xml file. Anyways, I have the control to upgrade this STS or maybe even ditch it for a more standard STS, but the main requirement being that it must support LDS in addition to AD. Does the requirement to support LDS lead us towards building a custom STS? or are they both supported out of the box? Any advice would be much appreciated.

    Reply
  14. mattsell (@mattsell) says:
    November 29, 2012 at 01:45

    Dominick, Hi I’ve been watching your Pluralsight videos and reading your book “A Guide to Claims-Based Identity and Access Control”. All great content. At my job right now they have rolled their own STS because they have to support both AD and AD LDS (light-weight directory services). It is an older STS and has been used only with active clients in the past. Now I am tasked with building a web app that requires a passive endpoint which currently does not exist. I don’t think this custom STS is fully WIF enabled, for instance it doesn’t even expose a federated metadata xml file. Anyways, I have the control to upgrade this STS or maybe even ditch it for a more standard STS, but the main requirement being that it must support LDS in addition to AD. Does the requirement to support LDS lead us towards building a custom STS? or are they both supported out of the box? Any advice would be much appreciated.

    Reply
  15. David Peden says:
    December 6, 2012 at 21:57

    Hey Dominick, I was excited to see https://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/53 as I’ve been thinking about trying to leverage v2 in a web role as well. However, I was obviously disappointed to see that you say v2 is not yet ready in that capacity. Can you shed some light on what is deficient about v2 in terms of Azure support?

    Reply
    • Dominick Baier says:
      December 7, 2012 at 15:41

      Well – in theory you can deploy on Windows Azure (Cloud Services). You just need to move all config and the user database to SQL Azure. You also need to deploy the signing and SSL certs using the Azure portal.

      It is just that we didn’t have the time to properly test and document it.

      The more attractive model is Azure Web Sites – but they have the problems I mentioned earlier.

      Reply
  16. gentlehag says:
    December 11, 2012 at 16:03

    Hey Dominick. I’ve seen your pluralsight couse about Identity and Access Control. Now I’ve a question. Perhaps you can help me.

    In the example or “Authentication Session Demo” you modify the account controler to store the cookie. Before that, there was a FormsAuthentication.SetAuthCookie code. Now in newer ASP MVC 4 (.net 4.5) templates there ist a WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe) call. which has a parameter to tell wether a cookie should be set.

    Am I right that I have to pass false for cookie creation and set the cookie afterwards manually like shown in the couse?

    PS: A short comparison / explanation of WebSecurity vs. old asp pattern would be great

    Reply
    • Dominick Baier says:
      December 11, 2012 at 16:08

      Well – i don’t use this new pattern because i don’t like it. They try to solve every problem “with one line of code” ;)

      This new login method seems to validate the credential and set the cookie in one go. So you can’t use that with the session facility. You have to decouple just like i did.

      Reply
      • gentlehag says:
        December 11, 2012 at 17:29

        Ok thx for your reply. I tried to adapt the template but then the antiforgery token validation tells me that something is wrong. That possibly the nameidentifier or identityprovider claim doesn’t meet expectations.

        Currently I’m using this template because it wraps very easily the OAuth Features for Facebook, twitter and so on ;-)

        So I would have to completly redesign the pattern and make all this on my own ?

  17. Dominick Baier says:
    December 11, 2012 at 17:36

    This “something” that is wrong is actually explained in the error message. You have to find out which claim(s) in your system make up a unique identifier. You somehow need to be able to uniquely identify users.

    Reply
    • Boas Enkler says:
      December 12, 2012 at 15:57

      In a ASP MVC 4 Webapplication.
      Would you use some kind of framework (if yes which framework for example dotnetopenauth?)? Make the calls yourself or something else?

      Reply
  19. Dominick Baier says:
    December 12, 2012 at 16:00

    I like:
    http://brockallen.com/2012/10/26/integrating-claims-and-oauth2/

    or DNOA (which is used in the MVC4 template)

    It depends on your needs. Brock’s implementation is cleaner IMO.

    Reply
  21. Michael says:
    December 14, 2012 at 21:17

    Dominick,

    Does the Identity server have a config setting that governs password attempts before lockout?

    Michael

    Reply
  22. Dominick Baier says:
    December 14, 2012 at 21:20

    please use the github issue tracker for IdSdrv questions…

    This is up to the account store implementation. If you use the built-in asp.net membership provider, that’s configurable, yes (but it is not an identity server feature per se).

    Reply
  23. UD says:
    January 9, 2013 at 21:42

    Hi Dominick
    I downloaded the latest Zip version of the source code from Github opened it in VS 2012 and tried to build the solution. While building the the project Thinktecture.IdentityServer.Core.Repositories I run into the following error. Can you please let me know what I might be doing wrong? Thank you

    C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Common.targets(2291,5): error MSB3553: Resource file “obj\Debug\Thinktecture.IdentityServer.Core.Repositories.Migrations.SqlServer.InitialMigration.resources” has an invalid name. The item metadata “%(FullPath)” cannot be applied to the path “obj\Debug\Thinktecture.IdentityServer.Core.Repositories.Migrations.SqlServer.InitialMigration.resources”. C:\SoftwareDownLoad\Thinktecture.IdentityServer.v2-master_01082012\Thinktecture.IdentityServer.v2-master\src\Libraries\Thinktecture.IdentityServer.Core.Repositories\obj\Debug\Thinktecture.IdentityServer.Core.Repositories.Migrations.SqlServer.InitialMigration.resources

    Reply
  24. Michael De Marco says:
    January 14, 2013 at 23:32

    Dominick I have been working with your IdentityServer2 solution. I have written you before. I saw a potential error in your code as I was debugging the code below. There is a dependency on the relying party to have a forward slash ‘/’ at the end of the relying party url. If not, your code does not handle this condition gracefully. It should probably handle cases with and without forward slashes. In other words if I register a relying party with your STS in the form
    https://10.100.0.60/relyingparty without the trailing forward slash there is problems when I navigate to https://10.100.0.60/relyingparty/ or https://10.100.0.60/relyingparty. If i register it with forward slash at the end it is okay in one or both of the cases as I don’t remember which one or if okay in both. FYI I found that in the relying party configuration for the config below and specifically if the trailing forward slash was not there we have issues.

    public bool TryGet(string realm, out RelyingParty relyingParty)
    {
    relyingParty = null;

    using (var entities = IdentityServerConfigurationContext.Get())
    {
    var match = (from rp in entities.RelyingParties
    where rp.Realm.Equals(realm, StringComparison.OrdinalIgnoreCase) &&
    rp.Enabled == true
    orderby rp.Realm descending
    select rp)
    .FirstOrDefault();

    if (match != null)
    {
    relyingParty = match.ToDomainModel();
    return true;
    }
    }

    return false;
    }

    ———————————————————————

    Reply
  25. Rafi G. says:
    February 8, 2013 at 08:45

    Hello,
    I’m trying to get documentation on Thinktecture.IdentityServer.v1 and I hit this dead link – http://wiki.thinktecture.com/IdentityServer.MainPage.ashx

    Can I find the documentation elsewhere?

    Thanks,
    Rafi

    Reply
  26. Don W. says:
    April 18, 2013 at 21:24

    Hi Dominick,

    I’ve found your information on Pluralsight very helpful. I ended up implementing a Custom UserName Password Validator with your nuget package. I’m just writing to say thank you, and that it seems Microsoft needs to update their documentation. If I hadn’t watched your training videos I would have had no idea that there were changes in .Net 4.5 to the security infrastructure.
    http://msdn.microsoft.com/en-us/library/aa702565.aspx Seems like they need to revisit this section in particular :)

    Reply
  27. Andy Cohen says:
    April 29, 2013 at 04:19

    Dominick,

    Is the source code available from your video: http://vimeo.com/43603474?

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s