When setting up your Azure App ID for your web apps, it's extremely important that you follow the recommended format of "https://<your tenant name>/<your app name>"
Otherwise, delegated authentication will NOT work!!
Showing posts with label authorization. Show all posts
Showing posts with label authorization. Show all posts
Thursday, August 27, 2015
Wednesday, August 26, 2015
Fixing redirect loops in Azure web apps that use Azure Active Directory for authentication
We've recently been using Azure Active Directory to handle authentication for a bunch of our Line-Of-Business applications that we're moving into the cloud. Unfortunately, we've been noticing that in some circumstances, we encounter redirect loops that the browser can't break out of and I've been scratching my head over it. As it turns out, the loops had a common cause: going to a URL in the application that started with http://.
Since we're all good programmers here ;), we always want to be using best practices and enforcing secure connections anyway, but it also turned out to be the fix: adding [RequireHttps] to the top of our filters list in FilterConfig.cs solved the problem and closed a security hole at the same time.
As for the initial cause: why would anybody be using HTTP anyway ? It turns out that HTTP is the default scheme for URLs in the Azure portal when you're viewing the settings for an application and people were clicking on those links to go straight into the app.
Alex
Since we're all good programmers here ;), we always want to be using best practices and enforcing secure connections anyway, but it also turned out to be the fix: adding [RequireHttps] to the top of our filters list in FilterConfig.cs solved the problem and closed a security hole at the same time.
As for the initial cause: why would anybody be using HTTP anyway ? It turns out that HTTP is the default scheme for URLs in the Azure portal when you're viewing the settings for an application and people were clicking on those links to go straight into the app.
Alex
Monday, May 06, 2013
Journey to robust web services: kick starting use of credentials and certificates for message security, phase I
As any sensible developer of a large scale system knows, security is paramount. Therefore, encryption of sensitive data is an absolute must, encryption of all data is recommended, depending on the field in which you're working. Encryption with WCF is baked in, and is relatively straight forward to setup, though there are a number of important details to which attention must be paid. The steps are somewhat different depending on whether you're using IIS or a self-hosted service (e.g. in a Windows Service).
If you're using a Windows Service, you'll need to perform the following steps to get started:
If you're using a Windows Service, you'll need to perform the following steps to get started:
- Generate a self-signed certificate (which can be done in the Windows Control Panel)
- Configure the port to which you're binding the service with the certificate you've just generated, according to this MSDN article.
- [to be continued]
If you're using IIS, getting started in a development environment is somewhat simpler.
- Generate a self signed certificate with IIS. In most cases, IIS will have a developer certificate already installed that you can use.
- Retrieve the thumbprint of the certificate. You'll need this in order for your application to be able to find it at runtime. WARNING: Don't just copy the thumbprint out of the certificate properties window in IIS, because there are non-printing characters in the text control that will cause you problems when you try to paste the thumbprint into your Web.config file. Write them out by hand.
- There are two methods you can take for making the certificate available to your WCF service:
- Follow the guide here if you want to make the certificate available to your application by code.
- Use the information on this page to create a
element underneath a configuration/system.serviceModel/behaviors/behavior/serviceCredentials element.
Subscribe to:
Posts (Atom)