A Refresh of the Identity and Access Tool for VS 2012

Byvibro on
3 Comments

image

Today we released a refresh of the Identity and Access Tool for Visual Studio 2012.
We moved the current release # from 1.0.2 to 1.1.0.
VS should let you know that there’s a new version  waiting for you, but if you’re in a hurry you can go here and get it right away.

We didn’t add any new features: this is largely a service release, with lots of bug fixes.

There is an exception to that, though. We changed the way in which we handle issuer validation of incoming tokens. We now use the ValidatingIssuerNameRegistry by default; however we also added in the UI the necessary knobs for you to opt out and fall back on the old ConfigBasedIssuerNameRegistry, should you need to. Details below.

The New Issuer Validation Strategy

Traditionally, WIF tools (from fedutil.exe in .NET 3.5 and 4.0 to the Identity and Access Tools in .NET 4.5) used the ConfigBasedIssuerNameRegistry class to capture the coordinates (issuer name and signing verification key) of trusted issuers. In config it would look as something like the following:

<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, 
    System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
  <trustedIssuers>
     <add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" name="LocalSTS" />
  </trustedIssuers>
</issuerNameRegistry>

 

Its semantic is straightforward: if an incoming token is signed with the key corresponding to that thumbprint, accept it (provided that all other checks pass as well!) and use the value in “name” for the “Issuer” property of the resulting claims.

That worked out great for the first generation of identity providers, but as the expressive power of issuers grew (multiple keys, multiple tenants as issuers leveraging the same issuing endpoint and crypto infrastructure) we felt we needed to provide a better issuer name registry canonical class, the ValidatingIssuerNameRegistry (VINR for short).

We already introduced VINR here, hence I won’t repeat the details here. What’s new is that the Identity and Access Tool now uses VINR by default.
If you run the tool against the project containing the settings above, afterwards your config will look like the following:

<!--Commented by Identity and Access VS Package-->
<!--<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, 
System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers><add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" name="LocalSTS" />
</trustedIssuers></issuerNameRegistry>-->
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, 
    System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
 <authority name="LocalSTS">
  <keys>
    <add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" />
  </keys>
  <validIssuers>
    <add name="LocalSTS" />
  </validIssuers>
 </authority>
</issuerNameRegistry>

 

Apart from the syntactic sugar, the important difference in semantics between the two is that whereas the ConfigBasedIssuerNameRegistry will just use “LocalSTS” as the Issuer property in the ClaimsIdentity representing the caller, regardless of what the issuer is in the incoming token, VINR will enforce that “LocalSTS” is actually the issuer name in the incoming token. If the issuer in the token is different from the value recorded, ConfigBasedIssuerNameRegistry  will accept the token nonetheless: VINR will refuse it. The stricter validation rules are necessary when working with multitenant STSes, and are not a bad thing for traditional cases either (ADFS2.0 does this consistently).

If for any reasons you rely on the ConfigBasedIssuerNameRegistry more relaxed validation criterion, I would suggest considering whether you can move to a stricter validation mode: but if you absolutely can’t, the tool offers you a way out. In the config tab you will now find the following new checkbox:

image

If you want to go back to ConfigBasedIssuerNameRegistry, all you need to do is unchecking that box and hit OK.

Miscellanea

Here there are few of the most notable fixes we (well, “we”… it actually was Brent Smile) added in this refresh. The list is longer, here I am highlighting just the ones for which we received explicit feedback in the past.

  • <serviceModel> bug. We had a bug for which the Tool would throw if a <serviceModel> element was present in the config; that behavior has been fixed
  • We weren’t setting certificate validation mode to none for the Business STS providers, but we got feedback that self signed certificates are in common use and developers needed to turn off cert validation by hand; hence, we included all providers in the cert validation == none logic and added a comment in the config to clarify that this is for development purposes only.
  • Better support for ACS namespace keys. We did a flurry of improvements there (better cut & paste support, comments, gracefully handling projects for which we don’t have keys, etc)
  • More informative error messages

 

That’s it. We hope that the improvements in this refresh will help you with your apps: please keep the feedback coming!

3 Comments

  1. Pingback: Reference: Identity and access tools refresh - Vibro.NET ----> moved to www.cloudidentity.com!!! - Site Home - MSDN Blogs

  2. Hi,

    I am trying to add ACS on the WCF Service with identity access tool but on dialog its not displaying the third option (Use the windows Azure Access control service).

    Regards,
    Yasir

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *