tag:blogger.com,1999:blog-32650689113037730942024-03-18T22:41:57.229-07:00Apollo JackOne developer’s foray into the realms of FIM/MIM, Workflow, Directories, Security and anything else that happens by.Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.comBlogger30125tag:blogger.com,1999:blog-3265068911303773094.post-71261519612989883442013-05-09T18:57:00.001-07:002013-05-14T15:50:52.049-07:00Adding Attributes to the FIM MV Schema Programmatically<p>Adding new attributes programmatically to the Metaverse is currently not supported by FIM in any of its forms, however, if you are willing to take the chance and make the changes needed directly to the database, this is possible.  This isn't necessary recommended and it is definitely not for the faint of heart. However, if you are determined to give it a try, here is what you have to do. First, make a backup of your database, then:</p> <p>For single-valued non-reference attributes:</p> <ol> <li>Add a column to the mms_metaverse table with the appropriate name and data type </li> <li>Add a column to the mms_metaverse_lineagedate table with the appropriate name and a data type of datetime </li> <li>Add a column to the mms_metaverse_lineageguid table with the appropriate name and a data type of uniqueidentifier </li> <li>If you want the attribute to be indexed - add a new non-unique, non-clustered index to the mms_metaverse table with the name IX_mms_metaverse<attributeName> </li> </ol> <p>Then, for all attributes (single or multi, reference or not) you will then need to:</p> <ol> <li>Update the mv_schema_xml column of the mms_server_configuration </li> <li>Close the client, restart the Sync Service and re-open the client </li> </ol> <p>I have only done some preliminary testing, but so far it has worked okay. I have worked out a SQL Script to help you through the process.  Its called MVAttributeCreationScript.sql and you an download it from <a title="http://sdrv.ms/11oBRr8" href="http://sdrv.ms/11oBRr8">http://sdrv.ms/11oBRr8</a>.</p> <p>If you are uncomfortable attempting to update the schema in this fashion, there are a couple of other possibilities. However, these also carry their own risks:</p> <ol> <li>Export the MV Schema, update the xml export file and then re-import it </li> <li>Create a key stroke script to perform the updates through the UI as a user would </li> </ol> <p>I will create some additional blog posts to expound on these two methods a little bit further, so be on the lookout!</p> Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com1tag:blogger.com,1999:blog-3265068911303773094.post-81442269507034457882013-05-08T16:29:00.000-07:002013-05-08T16:29:22.457-07:00Now On TwitterYou can now follow my escapades on Twitter.
<br /> <br />
<a href="https://twitter.com/_ApolloJack_" class="twitter-follow-button" data-show-count="false" data-size="large" data-show-screen-name="true">Follow @_ApolloJack_</a>
<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com0tag:blogger.com,1999:blog-3265068911303773094.post-15430868085782586242013-03-27T13:53:00.001-07:002013-03-27T15:50:54.102-07:00The Last FIM Metaverse Extension You Will Ever Need<p>The third tool in the “The Last of” series is really another option for codeless provisioning (with out having to go to the FIM Service/Portal).  The Last FIM Metaverse Extension You Will Ever Need takes advantage of the configuration of a special MA to determine the initial flows needed to provision a new object.  This is done in two parts.  Here’s how it works.  </p> <p><strong>The Provisioning Management Agent <br /></strong>You will need to create an MA a special MA of type “Provisioning Management Agent (Insight)”.  This is an ECMA that inspects the configuration of the FIM Synch engine, allowing you to use the UI to define the provisioning rules for the other MAs in the environment.  You will not create run profiles for this MA, it will never be executed in that manner. <br /> <br />First, make sure you install the packaged Provisioning MA and the Insight.FIM.CodelessProvisioning.dll from <a href="http://fimmv.codeplex.com">http://fimmv.codeplex.com</a>. Now, when configuring the MA, the first thing you will need to do (after giving it a name) will be to use the Connectivity tab to enable provisioning.  You can do this by MA and by MA object type.  One nice thing about this set-up, you can selectively turn on and off provisioning with out having to change any of the flow rules defined.  In this example, I have two MAs, the HR MA with one object type of person and a CRM MA with two types, person and group: <br /><a href="http://lh3.ggpht.com/-fIJ3RzXkXKY/UVNcOEtPoXI/AAAAAAAAASk/60ACB9DdmxE/s1600-h/image%25255B33%25255D.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto; padding-top: 0px" title="image" border="0" alt="image" src="http://lh3.ggpht.com/-2HynqKXcD8g/UVNcOsQlIsI/AAAAAAAAASo/LJSuJHy4J0E/image_thumb%25255B21%25255D.png?imgmax=800" width="468" height="350" /></a></p> <p>I have enabled provisioning for person objects in the HR MA and then clicked Next. Then, I clicked Next on the Configure Partitions and Hierarchies tab, we will be using the default values. <br /> <br />On the Object Types tab, you will see a list of Management Agents.  In essence, what this page is asking you is which MAs you want to define provisioning rules for.  At a minimum you will want to select the MAs that have at least item selected from the Connection tab. In this case I am going to define provisioning rules for the HR MA, which I have enabled for provisioning.  Additionally, I could define rules for the CRM MA if I plan on enabling it at some point in the future: <br /><a href="http://lh5.ggpht.com/-XPFGWIlo_bY/UVNcOy6GNMI/AAAAAAAAASs/7YQAcSuZSaQ/s1600-h/image%25255B32%25255D.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto; padding-top: 0px" title="image" border="0" alt="image" src="http://lh6.ggpht.com/-ttlca3wiqSo/UVNcPXaR-ZI/AAAAAAAAASw/xN3GS3BwNOA/image_thumb%25255B20%25255D.png?imgmax=800" width="468" height="350" /></a></p> <p>On the next tab, you will want to select the attributes that you are going to define initial flows for.  At a minimum you will need to check the attribute “Anchor”.  I have selected a few of the basic attributes I want to set during provisioning: <br /><a href="http://lh6.ggpht.com/-1jHpomJenVE/UVNcP1oLT8I/AAAAAAAAAS0/W05GEH-mAlk/s1600-h/image%25255B31%25255D.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto; padding-top: 0px" title="image" border="0" alt="image" src="http://lh3.ggpht.com/-rZM3eH7otZg/UVNcQQyeMWI/AAAAAAAAAS4/UAcemaL16po/image_thumb%25255B19%25255D.png?imgmax=800" width="468" height="354" /></a></p> <p>Next is the Anchors tab, leave the default values (Anchor attribute = Anchor) and click Next.</p> <p>You should now be on the Configure Connector Filter tab, the provisioning code currently does not use this tab, but that could be a useful enhancement in the future.  Leave the filters blank and click Next.</p> <p>Ditto with the Join and Project Rules, these won’t be used, leave them blank and click Next.</p> <p>Now comes the interesting tab.  On the Attribute Flow section, define the flows that you want as your initial flows as Export flows for the MA and object type.  For example, if I want the ID, DisplayName, Email, FirstName and LastName set on a new HR MA person when the object is provisioned, I will define an Export flows for each of those: <br /><a href="http://lh3.ggpht.com/-qmE4HdcQqAs/UVNcQxI8hiI/AAAAAAAAAS8/KSMdYbSZAyU/s1600-h/image%25255B27%25255D.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto; padding-top: 0px" title="image" border="0" alt="image" src="http://lh6.ggpht.com/-8abUUEAQR78/UVNcRQp9kxI/AAAAAAAAATA/PHXFFDHinJo/image_thumb%25255B15%25255D.png?imgmax=800" width="468" height="353" /></a></p> <p>Currently, only direct and constant flows are supported.  Although I am working on adding Advanced flows via the same mechanism as <a href="http://www.apollojack.com/2013/02/the-last-fim-management-agent-rules.html">The Last FIM Management Agent Rules Extension You Will Ever Need</a> in which the C# code that defines the advanced flow is placed directly in the Flow rule name.  Click Next when done defining the flow rules.</p> <p>Click Next through the Deprovisioning and Extensions tab (you may need to provide a dll for the Rules extension name, you can simply use the Insight.FIM.CodelessProvisioning.dll).    That’s it!  You should now see your new Provisioning MA in the Sync client.  Don’t create more than one of these, currently only the first Provisioning MA found will be used.</p> <p>Unfortunately, should you rename one of the MAs configured, you will need to update the schema of the Provisioning MA and then redefine the flow rules.</p> <p><strong>The Metaverse Extension <br /></strong>Okay, now all you need to do get this working is set the Metaverse Rules Extension to use Insight.FIM.CodelessProvisioning.dll and enable it: <br /><a href="http://lh5.ggpht.com/-WSJydELb1wA/UVNcR7lWoUI/AAAAAAAAATE/Pawlme6vH0A/s1600-h/image%25255B30%25255D.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto; padding-top: 0px" title="image" border="0" alt="image" src="http://lh3.ggpht.com/-Ddm8dMgagXo/UVNcSaFqQHI/AAAAAAAAATI/x-jhoRABvuY/image_thumb%25255B18%25255D.png?imgmax=800" width="379" height="329" /></a></p> <p>Here’s what happens next.  When the provisioning code runs, it will go and look for a Provisioning MA.  It will then transverse the configuration of the MA to determine which objects to create and which flows to apply.  In this example, the provisioning code will see that I need to provision a new HR MA object of type person and set the ID, DisplayName, Email, FirstName and LastName on the object using the flow rules I defined. <br /><a href="http://lh4.ggpht.com/-QZfGqDoQRQI/UVN3mqJKkmI/AAAAAAAAATU/YmjFZKuvAKQ/s1600-h/image%25255B6%25255D.png"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px; padding-top: 0px" title="image" border="0" alt="image" src="http://lh6.ggpht.com/-6hw1jfGW680/UVN3nK2Sb1I/AAAAAAAAATc/bNSHI2qzTG8/image_thumb%25255B4%25255D.png?imgmax=800" width="468" height="304" /></a></p> <p>Its an interesting concept and provides a well known UI to set up codeless provisioning without the overhead of the FIM Service.  </p> <p>Let me know what you think!</p> Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com0tag:blogger.com,1999:blog-3265068911303773094.post-60517170575568276982013-02-19T08:48:00.001-08:002013-02-19T09:02:50.348-08:00The Last FIM Management Agent Rules Extension You Will Ever Need<p>For the next in the Last FIM series, I extended the concept introduced in <a href="http://www.apollojack.com/2012/02/last-fim-workflow-you-will-ever-need.html">The Last FIM Workflow You Will Ever Need</a> to the Synchronization Engine.  In this case, this Management Agent Extension will take the Attribute Flow Name provided, compile it and run it like code.  So as an example, if you were creating an import flow to displayName and wanted to calculate it by concatenating  firstName + " " + lastName from the connector space, you could do the following as the Flow rule name: mventry[“displayName”].Value = csentry[“FirstName”].Value + " " + csentry[“LastName”].Value:</p> <p><a href="http://lh5.ggpht.com/-sUHOayDFeb4/USOs2ucvseI/AAAAAAAAAQU/YaBBTHTMoWY/s1600-h/image%25255B10%25255D.png"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px; padding-top: 0px" title="image" border="0" alt="image" src="http://lh4.ggpht.com/-5QjQcyo-zuM/USOs23slqfI/AAAAAAAAAQc/x7JVVUzJ2c4/image_thumb%25255B6%25255D.png?imgmax=800" width="346" height="246" /></a></p> <p>In order to make this work, download and install the CodePlex project from <a href="http://fimma.codeplex.com">http://fimma.codeplex.com</a>, then reference the Insight.FIM.CodelessSync.dll on the MA Extensions tab:</p> <p><a href="http://lh3.ggpht.com/-8xeLyIagUsc/USOs3WY6oTI/AAAAAAAAAQk/0zV5QNbASDo/s1600-h/image%25255B9%25255D.png"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px; padding-top: 0px" title="image" border="0" alt="image" src="http://lh4.ggpht.com/-mbpAqb2lluQ/USOs3iFaOVI/AAAAAAAAAQs/XvJ74a-9ylc/image_thumb%25255B5%25255D.png?imgmax=800" width="544" height="206" /></a></p> <p>A few things to note, currently the code that you can place in the Flow rule name is limited to a single line, so only fairly simple calculations can be performed, but it may keep you from having to go to the Portal for "codeless" sync rules.  Only C# syntax is currently accepted, although a VB version could be written.  There may also be some value in writing a version that uses its own simplified syntax.  Only reference the .Value property of any mventry or csentry attribute.  The extension will inspect the data type to determine how to handle it from there.  Also, this can be nicely combined with an existing MA Extension code you might have, simply use it as your default call on your switch statement for import or export flow code:</p> <table border="0" cellspacing="0" cellpadding="2" width="90%"><tbody> <tr> <td valign="top" width="36"> </td> <td bgcolor="#c0c0c0" valign="top"> <p><font size="2" face="Garamond"><p> public void MapAttributesForImport(string FlowRuleName, CSEntry csentry, MVEntry mventry) <br />       { <br />           switch (FlowRuleName) <br />           { <br />               case "existingFlowName": <br />                   //existing code <br />                   break; <br />               default: <br />                   runCommand(FlowRuleName, mventry, csentry, "mventry"); <br />                   break; <br />           }            <br />       }</p></font></p></td></tr></tbody></table> <p>The extension is fairly new, so may still need some tweaking, but I wanted to get it out to the community for your feedback and contributions.  Let me know what you think!</p> <p>Also, be on the watch for the next in the Last FIM series, The Last FIM Metaverse Extension You Will Ever Need.</p> Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com2tag:blogger.com,1999:blog-3265068911303773094.post-23163091766389766612013-02-19T07:48:00.001-08:002013-02-19T09:18:47.880-08:00The Last FIM Workflow You Will Ever Need, Part 2<p><a href="http://www.apollojack.com/2012/02/last-fim-workflow-you-will-ever-need.html">A year ago I introduced the idea of a FIM Workflow that would allow you to use the UI to write the code that you wanted executed at run time</a>. Since then I have updated the workflow to allow you to also specify additional references and using/import statements.  </p> <p><a href="http://lh4.ggpht.com/-MDMyWznIg1c/USOe1eKjwkI/AAAAAAAAAOk/JpZk1mN511U/s1600-h/image%25255B6%25255D.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto; padding-top: 0px" title="image" border="0" alt="image" src="http://lh5.ggpht.com/-9brqJi1jX_Q/USOe19OyCqI/AAAAAAAAAOs/KJT1TFTLbec/image_thumb%25255B8%25255D.png?imgmax=800" width="644" height="271" /></a> <a href="http://lh4.ggpht.com/-wWSbre-SmJE/USOe2GR0ONI/AAAAAAAAAO0/MRQZz8qlspY/s1600-h/image%25255B10%25255D.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto; padding-top: 0px" title="image" border="0" alt="image" src="http://lh3.ggpht.com/-NeJGXtw2dBI/USOe2aqmVfI/AAAAAAAAAO8/bGgciRBCMjE/image_thumb%25255B10%25255D.png?imgmax=800" width="644" height="253" /></a></p> <p>I also got approval to upload the project to CodePlex so that you can have access to it.  Check it out at <a href="http://fimwf.codeplex.com">http://fimwf.codeplex.com</a> and let me know what you think!</p> <p>Be on the lookout for the next item in Last FIM series,<a href="http://www.apollojack.com/2013/02/the-last-fim-management-agent-rules.html">the Last FIM Management Agent Rules Extension You Will Ever Need</a>.</p> Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com0tag:blogger.com,1999:blog-3265068911303773094.post-79610194307074402012013-01-21T15:39:00.001-08:002013-01-21T16:14:01.644-08:00FIM 2010 R2 Lab on Windows 7<p>I recently went about building out a FIM Lab on Windows 7 (64 bit).  Its completely unsupported, but in case it helps anyone, here is what I had to do.</p> <p>With the basic FIM 2010 R2 installation instructions in mind, I began by installing IIS and SQL Server 2008 R2 on my Windows 7 machine.  Since this environment is just for my own personal lab use, I created all of the needed users and groups locally on the box.  Now comes the first challenge, getting SharePoint installed which requires a Server OS.  In order to install WSS, I downloaded and installed a neat little application called <a href="http://community.bamboosolutions.com/blogs/bambooteamblog/archive/2008/05/21/how-to-install-windows-sharepoint-services-3-0-sp1-on-vista-x64-x86.aspx">WSSOnVista from Bamboo Nation</a>. This application uses API hooking to intercept the <a href="http://msdn.microsoft.com/en-us/library/ms724451(VS.85).aspx">GetVersionEx</a> call, fooling the install into believing its running on Windows Server. I used WSSOnVista to install <a href="http://www.microsoft.com/en-us/download/details.aspx?id=5719">WSS 3.0 with SP2</a>.  Be sure to follow the instructions listed on the Bamboo Nation site, including using the WSS Advanced install option and selecting the Web Front End server type.</p> <p>You will then need to download and install <a href="http://www.technipages.com/download-orca-msi-editor.html">Orca</a>.  You can use Orca to edit the FIM MSI packages, removing the server version checking requirements. You will need to copy the FIM install bits to some media that they can be edited (like a local drive).  Begin by right clicking the Synchronization Service.msi file and then selecting the “Edit with Orca” option.  You will then need to locate and remove the server OS version Launch Condition.  Right click the appropriate Row and click on the Cut Row(s) or Drop Row option:</p> <p><a href="http://lh6.ggpht.com/-3efL52Lm6JM/UP3RxRM_WwI/AAAAAAAAANI/41mFN4KodQg/s1600-h/image%25255B10%25255D.png"><img style="background-image: none; border-right-width: 0px; padding-left: 40px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="http://lh6.ggpht.com/-RGe466JJJok/UP3Rxz0tqkI/AAAAAAAAANM/LR_Vw5DYqs8/image_thumb%25255B6%25255D.png?imgmax=800" width="689" height="361" /></a></p> <p>Save your changes and launch the Synchronization Service.msi and install as you normally would.  You will need to perform a similar action on the Service and Portal.msi file, however, this time you are looking for the OSCheck under the CustomAction table.</p> <p><a href="http://lh3.ggpht.com/-ZZp6UPmJbbA/UP3S5zN2RlI/AAAAAAAAANQ/nQx8Nnf-XR8/s1600-h/image%25255B8%25255D.png"><img style="background-image: none; border-right-width: 0px; padding-left: 40px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px" title="image" border="0" alt="image" src="http://lh4.ggpht.com/-A9AVE-NUhEI/UP3S9cLBCXI/AAAAAAAAANc/9MF6ajDPt0s/image_thumb%25255B4%25255D.png?imgmax=800" width="692" height="360" /></a></p> <p>Again, save the changes made to the msi file and then use it to install the FIM Service and Portal as you normally would.</p> <p>I haven’t encountered any issues running on Windows 7 yet, but will update this article if any come up.</p> Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com2tag:blogger.com,1999:blog-3265068911303773094.post-23275591446430674232012-03-31T20:09:00.001-07:002012-03-31T20:11:45.067-07:00FIM PCNS And A Lack of Trust<p>If you read through the FIM documentation for setting up PCNS, you will find that either FIM and PCNS need to be in the same forest or be part of a forest trust. From <a title="http://technet.microsoft.com/en-us/library/cc720594(v=ws.10).aspx" href="http://technet.microsoft.com/en-us/library/cc720594(v=ws.10).aspx">http://technet.microsoft.com/en-us/library/cc720594(v=ws.10).aspx</a>:</p> <table border="0" cellspacing="0" cellpadding="2" width="90%"><tbody> <tr> <td valign="top" width="36"> </td> <td bgcolor="#c0c0c0" valign="top"> <p><font size="2" face="Garamond">Forest trusts are only required if PCNS and ILM 2007 are located in different forests. If this is the case, a forest-level trust must be established. This is required for Kerberos mutual authentication for the ILM 2007 server to accept the request from a remote forest host.</font></p> </td> </tr> </tbody></table> <p>This can become extremely limiting, especially if both forests do not have the proper forest and domain levels.  Theoretically, however, it’s possible to make Kerberos work over an External Trust (<a title="http://blogs.technet.com/b/activedirectoryua/archive/2010/08/04/conditions-for-kerberos-to-be-used-over-an-external-trust.aspx" href="http://blogs.technet.com/b/activedirectoryua/archive/2010/08/04/conditions-for-kerberos-to-be-used-over-an-external-trust.aspx">http://blogs.technet.com/b/activedirectoryua/archive/2010/08/04/conditions-for-kerberos-to-be-used-over-an-external-trust.aspx</a>).  With an External Trust, we don’t have any of the same forest functional level restrictions, opening up PCNS as a viable option for more customers.  I would love to know if anyone has been able to get PCNS working in this configuration.  In the mean time, I will have to set up a lab and try it out.  I will report back on the results and let you know! </p> Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com0tag:blogger.com,1999:blog-3265068911303773094.post-2730581968806666572012-02-24T13:19:00.000-08:002013-03-27T01:10:11.234-07:00The Last FIM Workflow You Will Ever Need<p>Okay, probably not, but its still pretty cool.  I recently built a Workflow in FIM that will allow a user to define the code they want executed at run time.  The Workflow will compile the code and run it in a separate app domain when its initiated (<a title="http://www.west-wind.com//presentations/dynamicCode/DynamicCode.htm" href="http://www.west-wind.com/presentations/dynamicCode/DynamicCode.htm">http://www.west-wind.com/presentations/dynamicCode/DynamicCode.htm</a>).  The UI will allow you to specify the input parameters and where the result of the code execution will go.  Here is a simple example, I am passing in the first and last name from the target of the request, I am also passing the the mail host that I have calculated in a previous step and saved to WorkflowData.  I am then using the code to calculate the user’s email address and save it to the email parameter on the target:</p><p><a href="http://lh5.ggpht.com/-gudFHETMPLU/Tz1_XPSPJfI/AAAAAAAAAMQ/cUPbCUHkoBI/s1600-h/image%25255B35%25255D.png"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px; padding-top: 0px" title="image" border="0" alt="image" src="http://lh6.ggpht.com/-VyIJzZeKj08/Tz1_Y3Dh8yI/AAAAAAAAAMU/JPVYhdk49iM/image_thumb%25255B47%25255D.png?imgmax=800" width="640" height="367" /></a><a href="http://lh4.ggpht.com/-qeINh_n_vSQ/Tz1_ZuCIsKI/AAAAAAAAAMY/yglo0eH-rcM/s1600-h/image%25255B36%25255D.png"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px; padding-top: 0px" title="image" border="0" alt="image" src="http://lh5.ggpht.com/-p0xNn85F7b0/Tz1_aCBjk-I/AAAAAAAAAMc/fb3ThBNHk7U/image_thumb%25255B48%25255D.png?imgmax=800" width="640" height="379" /></a></p><p>You can add and remove input parameters as needed during design time and then refer to them in the code using their specified index. I expect in future releases to be allow the user to specify additional namespaces and code references to import. It currently won’t do any syntax checking or formatting at design time, but otherwise its extremely versatile and flexible!  </p><p>UPDATE: <a href="http://www.apollojack.com/2013/02/the-last-fim-workflow-you-will-ever.html">Check out Part 2 of this article for the latest information and download instructions!</a></p>Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com1tag:blogger.com,1999:blog-3265068911303773094.post-70317459993739012662012-01-13T09:34:00.002-08:002012-02-24T13:18:22.085-08:00Sun One Boolean Attributes<p>Recently while working with the Sun One MA, I came across a problem caused by how FIM interprets boolean data coming from the directory.  In this case, the Sun One directory stores its boolean data as “YES” or “NO”, however when imported by FIM, this data always gets converted to False in the connector space.  (<a title="http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/8ffc112e-d945-4916-83b3-78fbba716705" href="http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/8ffc112e-d945-4916-83b3-78fbba716705">http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/thread/8ffc112e-d945-4916-83b3-78fbba716705</a>)</p><p>Now we can’t use an advance import flow to correctly convert the data as it comes into the Metaverse because we have already lost data integrity.  The data that’s in the connector space is basically useless.  This only leaves us with a couple of options, we can write an XMA to correctly handle the data, but this can be fairly complicated.  We can also update the directory schema and use a string instead of a boolean, however, this could cause other downstream issues with other systems that might be consuming this data.  There is one other option, but its completely unsupported.  You could update the FIM database to make the system think this attribute is a string.  </p><p>Begin by running the following SQL Statement using the SQL Server Management Studio against your FIM database:</p><blockquote style="border-bottom: #7ba0cd 1px solid; border-left: #7ba0cd 1px solid; padding-bottom: 10px; padding-left: 5px; padding-right: 5px; background: #d3dfee; border-top: #7ba0cd 1px solid; border-right: #7ba0cd 1px solid; padding-top: 10px"><font size="2" face="Consolas">SELECT CAST(ma_schema_xml AS XML)    <br />
  FROM FIMSynchronizationService.dbo.mms_management_agent <br />
 WHERE ma_name = '<Sun One MA Name Here>'</font></blockquote><p>In the results window you will get a single record that can be clicked on to open an xml document containing the schema for your Sun MA. Each attribute in the directory will appear using this syntax: </p><p><blockquote style="border-bottom: #7ba0cd 1px solid; border-left: #7ba0cd 1px solid; padding-bottom: 10px; padding-left: 5px; padding-right: 5px; background: #d3dfee; border-top: #7ba0cd 1px solid; border-right: #7ba0cd 1px solid; padding-top: 10px"><font size="2" face="Consolas"><attribute-type id="system_assigned_id" single-value="true/false"> <br />
     <name>attribute_name</name> <br />
     <syntax>LDAPv3_syntax_oid</syntax> <br />
</attribute-type></font></blockquote></p><p>If you do a quick search (Ctrl+F) for your attribute, you can manually update the <a href="http://www.alvestrand.no/objectid/1.3.6.1.4.1.1466.115.121.1.html" target="_blank">LDAP Syntax OID</a> from a boolean (<a href="http://www.alvestrand.no/objectid/1.3.6.1.4.1.1466.115.121.1.7.html">1.3.6.1.4.1.1466.115.121.1.7</a>) to a string (<a href="http://www.alvestrand.no/objectid/1.3.6.1.4.1.1466.115.121.1.15.html">1.3.6.1.4.1.1466.115.121.1.15</a>).  In my case, the new XML looked like:</p><p><blockquote style="border-bottom: #7ba0cd 1px solid; border-left: #7ba0cd 1px solid; padding-bottom: 10px; padding-left: 5px; padding-right: 5px; background: #d3dfee; border-top: #7ba0cd 1px solid; border-right: #7ba0cd 1px solid; padding-top: 10px"><font size="2" face="Consolas"><attribute-type id="Ah" single-value="true"> <br />
     <name>isManager</name> <br />
     <syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax> <br />
</attribute-type></font></blockquote></p><p>I then used an update statement to write this information back to the database.  After performing a full import on this MA the connector space now reflected this data as a string of “YES” or “NO” just as it appears in the directory.  Now that the connector space had data I could work with, I wrote a quick advanced import flow rule to transform this value to a boolean:</p><p><blockquote style="border-bottom: #7ba0cd 1px solid; border-left: #7ba0cd 1px solid; padding-bottom: 10px; padding-left: 5px; padding-right: 5px; background: #d3dfee; border-top: #7ba0cd 1px solid; border-right: #7ba0cd 1px solid; padding-top: 10px"><font size="2" face="Consolas">case "isManager": <br />
<br />
   //perform conversion for isManager from yes/no to boolean value <br />
   if (csentry["isManager"].IsPresent) <br />
   { <br />
      if (csentry["isManager"].Value.Equals("yes", StringComparison.InvariantCultureIgnoreCase)) <br />
      { <br />
         mventry["isManager"].BooleanValue = true; <br />
      } <br />
      else <br />
      { <br />
         mventry["isManager"].BooleanValue = false; <br />
      } <br />
   } <br />
   break;</font></blockquote></p><p>This approach does have its risks.  It will need to be re-done after performing a schema refresh in FIM and there is no guarantee it will keep working after an upgrade/patch.   The following SQL query could be used to script out this update, just replace the attributeName and SunOneMA variables and you should be good to go:</p><p><blockquote style="border-bottom: #7ba0cd 1px solid; border-left: #7ba0cd 1px solid; padding-bottom: 10px; padding-left: 5px; padding-right: 5px; background: #d3dfee; border-top: #7ba0cd 1px solid; border-right: #7ba0cd 1px solid; padding-top: 10px"><font size="2" face="Consolas">DECLARE @attributeName AS Varchar(255) = '<Attribute Name Here>' <br />
DECLARE @SunOneMA AS Varchar(255) = '<Sun One MA Name Here>' <br />
DECLARE @newSchemaOID AS Varchar(255) = '1.3.6.1.4.1.1466.115.121.1.15' --Directory String <br />
<br />
-- get schema data <br />
DECLARE @schema AS XML <br />
<br />
SELECT @schema = CAST(ma_schema_xml as xml) <br />
  FROM FIMSynchronizationService.dbo.mms_management_agent <br />
 WHERE ma_name = @SunOneMA <br />
<br />
-- update schema type <br />
SET @schema.modify(' <br />
   declare default element namespace http://www.dsml.org/DSML; <br />
   replace value of <br />
      (dsml/directory-schema/attribute-type[name=sql:variable("@attributeName")]/syntax/text())[1] <br />
   with <br />
      sql:variable("@newSchemaOID") <br />
   ') <br />
<br />
-- save back to table <br />
UPDATE FIMSynchronizationService.dbo.mms_management_agent <br />
   SET ma_schema_xml = CONVERT(nvarchar(MAX), @schema) <br />
 WHERE ma_name = @SunOneMA</font></blockquote></p>Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com0tag:blogger.com,1999:blog-3265068911303773094.post-26782466714449661742011-09-20T11:16:00.001-07:002011-09-20T11:40:56.035-07:00Ensynch Joins Insight!<p>We are very excited about the union of Insight and Ensynch and the benefits that it will bring to our clients. Both companies are focused on helping our clients find innovative, cost effective solutions to address business needs. Bringing Ensynch into the Insight organization will offer clients more robust software services, particularly around Microsoft Enterprise Agreements, as well as improved services delivery, enhanced virtualization and cloud capabilities and solution-focused approach to software sales. This acquisition will further simplify our clients’ ability to acquire, procure, implement and manage IT solutions across their technology environment.</p><p>For more information, read the press release <a href="http://www.ensynch.com/Lists/Announcements/BrandedDisplay.aspx?ID=34">here</a>, visit <a href="http://www.insight.com">www.insight.com</a> or <a href="http://www.ensynch.com">www.ensynch.com</a>, or contact me with any questions.</p>Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com0tag:blogger.com,1999:blog-3265068911303773094.post-51664334065735333722011-07-27T12:47:00.001-07:002012-01-13T10:27:59.095-08:00FIM 2010 and Language Types<p>Recently, while working with <a href="http://www.boothbilt.com/blog/" target="_blank">James</a> we had to support synchronization of identity data that used language types/codes.   Here’s a little background…</p><p>Directories that support <a href="http://tools.ietf.org/html/rfc3866" target="_blank">RFC 3866</a> (in this case Sun One) allow you to specify the language of an attribute’s value.  Here’s a simple example, say your company has a presence in the States and in Germany and you want to be able to store the user’s title “Software products” in both English and German, you can do that like this:</p><p>title;lang-en: Software products <br />
title;lang-de: Softwareprodukte </p><p>Now, FIM will support reading these attributes out of the directory and storing them into the CS, up to a point.  If you were to import this attribute, what you would get is a single multi-valued title attribute with both values, at which point you have lost all of the language information:</p><p><a href="http://lh4.ggpht.com/-NI4DWK0TkSY/TjBrQdyyAEI/AAAAAAAAAKc/NrDRtbPYbs4/s1600-h/image%25255B14%25255D.png"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px; padding-top: 0px" title="XMA Import" border="0" alt="XMA Import" src="http://lh4.ggpht.com/-3is0dgvDt2M/TjBrRDffW7I/AAAAAAAAAKg/ccAsAxQMhGY/image_thumb%25255B19%25255D.png?imgmax=800" width="719" height="565" /></a></p><p><br />
In order to preserve this information, we ended up writing our own XMA to bring in the attribute with its language type as an attribute in its own right.  So using the DirectoryServices (or DirectoryServices.Protocols, if you prefer) namespace we were able to access the directory and retrieve the full name of the attribute, we then wrote this out to our file so that FIM would see them as different items. (If you end up writing your XMA using the LDIF file format, like we did, you will have to actually transform the attribute name on the way out to the file to remove/replace the “;” or you will continue to have the issue above!)</p><p><a href="http://lh3.ggpht.com/-18b-JCMF2aQ/TjBrRnkYxLI/AAAAAAAAAKk/EG1oZbDZa2E/s1600-h/image%25255B21%25255D.png"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px; padding-top: 0px" title="XMA with Language Code Support" border="0" alt="XMA with Language Code Support" src="http://lh6.ggpht.com/-9QQ9VAUlTzQ/TjBrSB7lnoI/AAAAAAAAAKo/JR_PHSo6lq8/image_thumb%25255B29%25255D.png?imgmax=800" width="723" height="614" /></a></p><p><br />
We can now flow these attributes with the language information intact to other downstream systems.</p>Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com1tag:blogger.com,1999:blog-3265068911303773094.post-58122474455510056282011-07-26T15:49:00.001-07:002011-07-26T17:48:40.570-07:00XMA Creation Feature<p>So recently while creating some XMAs for FIM 2010 I noticed that while the initial creation page looked like this:</p> <p><a href="http://lh5.ggpht.com/-4uL9pMcFfi0/Ti9EhEt5e_I/AAAAAAAAAKM/xWDya_mtvdQ/s1600-h/image001%25255B30%25255D.png"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px; padding-top: 0px" title="XMA Initial Creation" border="0" alt="XMA Initial Creation" src="http://lh5.ggpht.com/-dl56XYHGXoM/Ti9EhSpAqvI/AAAAAAAAAKQ/U-Ul2nvumJg/image001_thumb%25255B28%25255D.png?imgmax=800" width="541" height="404" /></a></p> <p>When I opened the XMA after it was created I got:</p> <p><a href="http://lh5.ggpht.com/-qGVx7bSKm68/Ti9EhrpfeQI/AAAAAAAAAKU/rJCzXhYaIHE/s1600-h/image003%25255B5%25255D.png"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px; padding-top: 0px" title="XMA After Creation" border="0" alt="XMA After Creation" src="http://lh6.ggpht.com/-Qa0CHO_PqBo/Ti9Eh1ZbCTI/AAAAAAAAAKY/POhQCUDWMKI/image003_thumb%25255B3%25255D.png?imgmax=800" width="541" height="413" /></a></p> <p>“One of these things is not like the others….”  Even though I didn’t select the checkbox for the “Run this management agent in a separate process” option, the FIM Sync Engine created it that way.  It will remember the setting from this point in, but if you forget, this can make attaching the debugger and stepping into your code a little more difficult.  (Just as any FYI, I usually do turn this feature on when I am running the XMA in a QA/Production environment to minimize the chance that I could bring done the main sync miiserver process).  This only appears to be an issue the XMA, I haven’t noticed this issue with any of the other MA types.</p> Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com2tag:blogger.com,1999:blog-3265068911303773094.post-79123367606142901852011-06-15T12:13:00.001-07:002011-06-15T12:15:35.332-07:00Exchange Room Resources<p>Recently while trying to provision Room Resource Mailboxes via FIM, or more specifically I was setting their Access Booking Policies via the Set-CalendarProcessing command in a PowerShell Workflow, I received the following error:</p> <blockquote> <p><font color="#ff0000">The values for ResourceMake, ResourceModel, and ResourceType must be included in the ResourceProperties collection.</font></p> </blockquote> <p>You may also see this error if you try to open the object in the Exchange Management Console and try to save it.  </p> <p>Upon further inspection, the issue appeared because the msExchResourceSearchProperties attribute didn’t contain the resource type, in this case “Room”, anywhere in the multi-valued list.  After manually adding this value to the existing list, this issue was resolved.  Since we are getting this list from user input in the portal, a more permanent solution will involve adding a Workflow to ensure that “Room” appears in this list when we add/update it in the portal.</p> Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com0tag:blogger.com,1999:blog-3265068911303773094.post-12392253461761700162011-05-26T09:29:00.001-07:002012-01-13T10:27:00.588-08:00TEC 2011<p>For those of you who were able to make it to my presentation at TEC 2011 (State side), I promised a blog entry going into some more technical detail on the Ensynch Accelerated SQL XMA (coming soon).  If you are interested in the slides I presented you can get them <a href="http://cid-3a8dcbe427b2ccee.office.live.com/view.aspx/Public/Ensynch%20Accelerated%20SQL%20XMA.pptx" target="_blank">here</a>.  Jeremy also had another suggestion that I will be trying out, so keep an eye out, I will let you know how it goes!</p>Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com1tag:blogger.com,1999:blog-3265068911303773094.post-66427708903403340442011-05-25T17:15:00.001-07:002012-01-13T10:30:32.511-08:00Custom Attributes in a Function Evaluator Workflow Activity (or lack there of)<p>Okay, so <a href="http://social.technet.microsoft.com/Forums/en-US/ilm2/thread/eec8e249-fe28-45d5-8234-16a05104ec8b" target="_blank">as some of you have found out</a> if you bind a custom attribute to a custom resource in FIM, those attributes don’t show up in the Function Evaluator Workflow Activity drop-downs here:</p> <p> <a href="http://lh5.ggpht.com/-cUEHpcLMJ7g/Td2bsey-wWI/AAAAAAAAAFM/NQbcB1LP-UE/s1600-h/image%25255B18%25255D.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto; padding-top: 0px" title="image" border="0" alt="image" src="http://lh5.ggpht.com/-rht3rTyTKdc/Td2bsgghE8I/AAAAAAAAAFQ/K30Q0Wj7PF4/image_thumb%25255B21%25255D.png?imgmax=800" width="457" height="314" /></a></p> <p>or here:</p> <p><a href="http://lh4.ggpht.com/-pLT9Bk6zqZE/Td2btOEGgAI/AAAAAAAAAFU/JfshzWVcSlQ/s1600-h/image%25255B17%25255D.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto; padding-top: 0px" title="image" border="0" alt="image" src="http://lh6.ggpht.com/-0DCdhsMh--0/Td2btW7TQfI/AAAAAAAAAFY/woiKmCSoD_U/image_thumb%25255B20%25255D.png?imgmax=800" width="463" height="306" /></a></p> <p>There are two ways to go about fixing this, you can bind the custom property to a “known” resource type, like user.  Or you can skip the lookup and go ahead and reference them anyway using the CustomExpression option.  This will mean hand typing the attribute name into the Destination and Custom Expression fields, but it will keep your bindings cleaner:</p> <p><a href="http://lh5.ggpht.com/-p0Ow7Er5kYQ/Td2bt6REbpI/AAAAAAAAAFc/t1rRQ76V_Ms/s1600-h/image%25255B26%25255D.png"><img style="background-image: none; border-right-width: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; border-top-width: 0px; border-bottom-width: 0px; margin-left: auto; border-left-width: 0px; margin-right: auto; padding-top: 0px" title="image" border="0" alt="image" src="http://lh5.ggpht.com/-Kh2E0sVT1S8/Td2buE-P66I/AAAAAAAAAFg/5CxsWvZ4JyY/image_thumb%25255B32%25255D.png?imgmax=800" width="470" height="234" /></a></p> Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com0tag:blogger.com,1999:blog-3265068911303773094.post-26092930616724222332011-04-22T17:01:00.001-07:002011-04-22T20:55:56.648-07:00File Based Management Agents In MIIS/ILM/FIM<span xmlns="xmlns"> <p><span style="font-family: times new roman; font-size: 12pt"><font size="2" face="Georgia">I had a recent need to really compare the capabilities of each of the file based Management Agents in FIM.  Can you name all five? Don't worry, I won't leave you hanging, they are: <br />
</font></span></p><ul><li><font size="2">Attribute-value pair text file </font></li>
<li><font size="2">Delimited text file </font></li>
<li><font size="2">Directory Services Markup Language (DSML) 2.0 </font></li>
<li><font size="2">Fixed-width text file </font></li>
<li><font size="2">LDAP Data Interchange Format (LDIF) </font></li>
</ul><p><span style="font-family: times new roman; font-size: 12pt"><font size="2" face="Georgia">Here are some of the things that they can and can't do (this is for you <a href="http://c--shark.blogspot.com/">Joe</a>) and just for kicks, I also added in the SQL MA. If you are using one of these file types in an Extensible Management Agent (XMA), the following still applies:  <br />
<br />
</font></span></p><p><table style="border-collapse: collapse" border="0" width="80%"><colgroup><font face="Georgia"><font size="2"></font></font></colgroup><tbody valign="top">
<tr style="background: #b8cce4"> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px"><font size="2" face="Georgia"> </font></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><strong><font size="2" face="Georgia">Multi-valued Attributes</font></strong></span></p></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><strong><font face="Georgia"><font size="2">Attribute Level Updates <sup>1</sup></font></font></strong></span></p></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><strong><font face="Georgia"><font size="2">Multi-valued Level Attribute Updates <sup>2</sup></font></font></strong></span></p></td> </tr>
<tr> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #365f91" nowrap="nowrap"> <p><span style="font-family: times new roman; color: white; font-size: 12pt"><font size="2" face="Georgia">Attribute-value pair</font></span></p></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #a7bfde"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font size="2" face="Georgia">YES</font></span></p></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #a7bfde"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font size="2" face="Georgia">NO</font></span></p></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #a7bfde"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font size="2" face="Georgia">NO</font></span></p></td> </tr>
<tr> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #365f91"> <p><span style="font-family: times new roman; color: white; font-size: 12pt"><font size="2" face="Georgia">Delimited</font></span></p></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #dbe5f1"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font face="Georgia"><font size="2">YES <sup>3</sup></font></font></span></p></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #dbe5f1"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font size="2" face="Georgia">NO</font></span></p></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #dbe5f1"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font size="2" face="Georgia">NO</font></span></p></td> </tr>
<tr> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #365f91"> <p><span style="font-family: times new roman; color: white; font-size: 12pt"><font size="2" face="Georgia">DSML</font></span></p></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #a7bfde"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font size="2" face="Georgia">YES</font></span></p></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #a7bfde"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font face="Georgia"><font size="2">NO <sup>4</sup></font></font></span></p></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #a7bfde"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font size="2" face="Georgia">NO</font></span></p></td> </tr>
<tr> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #365f91"> <p><span style="font-family: times new roman; color: white; font-size: 12pt"><font size="2" face="Georgia">Fixed-width</font></span></p></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #dbe5f1"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font face="Georgia"><font size="2">YES <sup>3</sup></font></font></span></p></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #dbe5f1"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font size="2" face="Georgia">NO</font></span></p></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #dbe5f1"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font size="2" face="Georgia">NO</font></span></p></td> </tr>
<tr> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #365f91"> <p><span style="font-family: times new roman; color: white; font-size: 12pt"><font size="2" face="Georgia">LDIF</font></span></p></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #a7bfde"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font size="2" face="Georgia">YES</font></span></p></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #a7bfde"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font size="2" face="Georgia">YES</font></span></p></td> <td style="border-bottom: white 0.5pt solid; padding-left: 7px; padding-right: 7px; border-top-style: none; background: #a7bfde"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font size="2" face="Georgia">ON IMPORT ONLY<sup> 5</sup></font></span></p></td> </tr>
<tr> <td style="padding-left: 7px; padding-right: 7px; border-top-style: none; background: #365f91"> <p><span style="font-family: times new roman; color: white; font-size: 12pt"><font size="2" face="Georgia">SQL MA</font></span></p></td> <td style="padding-left: 7px; padding-right: 7px; border-top-style: none; background: #dbe5f1"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font size="2" face="Georgia">YES</font></span></p></td> <td style="padding-left: 7px; padding-right: 7px; border-top-style: none; background: #dbe5f1"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font size="2" face="Georgia">YES</font></span></p></td> <td style="padding-left: 7px; padding-right: 7px; border-top-style: none; background: #dbe5f1"> <p style="text-align: center"><span style="font-family: times new roman; color: black; font-size: 12pt"><font face="Georgia"><font size="2">NO <sup>6</sup></font></font></span></p></td> </tr>
</tbody></table></p></span> <p><font size="2"></font></p><p><br />
<br />
<font size="2">Okay, now for the caveats (can’t get away without some of those):</font></p><ol><li><font size="2">An Attribute Level Update implies that a delta import can contain only the attribute that has changed (along with the other required columns, like the type of change and the anchor)</font> <br />
<br />
So, here’s what that might look like.  Suppose I have a user with the following attributes: <br />
<table border="0" cellspacing="2" cellpadding="2" width="501"><tbody>
<tr> <td valign="top" width="128"> </td> <td valign="top" width="171" align="right"> ID: </td> <td valign="top" width="192">12345 </td> </tr>
<tr> <td valign="top" width="128"> </td> <td valign="top" width="171" align="right"> Name: </td> <td valign="top" width="192">Sarah </td> </tr>
<tr> <td valign="top" width="128"> </td> <td valign="top" width="171" align="right"> Status: </td> <td valign="top" width="192">Active </td> </tr>
<tr> <td valign="top" width="128"> </td> <td valign="top" width="171" align="right"> Phone: </td> <td valign="top" width="192">555-123-4567</td> </tr>
</tbody></table>                                      <br />
If Sarah’s phone number changes to 555-987-6543, I can simply tell FIM something like:  <table border="0" cellspacing="2" cellpadding="2" width="499"><tbody>
<tr> <td valign="top" width="128"> </td> <td valign="top" width="167" align="right"> ID: </td> <td valign="top" width="194">12345  </td> </tr>
<tr> <td valign="top" width="128"> </td> <td valign="top" width="167" align="right"> Type Of Change: </td> <td valign="top" width="194">Update</td> </tr>
<tr> <td valign="top" width="128"> </td> <td valign="top" width="167" align="right"> Phone: </td> <td valign="top" width="194">555-987-6543</td> </tr>
</tbody></table><br />
This has the advantage of giving FIM less work to do to determine what has changed on the records being imported and greatly speeds up delta imports.  <br />
  </li>
<li><font size="2">A Multi-valued Level Attribute Update supports adding and deleting specific values from a multi-valued attribute <br />
</font>  <br />
Let’s take another look at Sara’s record: <br />
<table border="0" cellspacing="2" cellpadding="2" width="505"><tbody>
<tr> <td valign="top" width="128"> </td> <td valign="top" width="168" align="right"> ID: </td> <td valign="top" width="199">12345  </td> </tr>
<tr> <td valign="top" width="128"> </td> <td valign="top" width="168" align="right"> Name: </td> <td valign="top" width="199">Sarah  </td> </tr>
<tr> <td valign="top" width="128"> </td> <td valign="top" width="168" align="right"> Status: </td> <td valign="top" width="199">Active  </td> </tr>
<tr> <td valign="top" width="128"> </td> <td valign="top" width="168" align="right"> Phone: </td> <td valign="top" width="199">555-123-4567 </td> </tr>
<tr> <td valign="top" width="128"> </td> <td valign="top" width="168" align="right"> Phone: </td> <td valign="top" width="199">555-456-7890</td> </tr>
</tbody></table>                                       <br />
Now, Sarah has two Phone numbers, or a single attribute with multiple values. With multi-value level attribute update support, we can do things like add a new phone number to the list, delete a phone number from the list or update a phone number (in essence by doing an add of the new value and then a delete of the old one): <table border="0" cellspacing="2" cellpadding="2" width="506"><tbody>
<tr> <td valign="top" width="128"> </td> <td valign="top" width="170" align="right"> ID: </td> <td valign="top" width="198">12345  </td> </tr>
<tr> <td valign="top" width="128" align="right"> </td> <td valign="top" width="170" align="right"> Type Of Change: </td> <td valign="top" width="198">Add</td> </tr>
<tr> <td valign="top" width="128" align="right"> </td> <td valign="top" width="170" align="right"> Phone: </td> <td valign="top" width="198">555-987-6543</td> </tr>
</tbody></table><br />
Without this support, the source system would be required to do a “replace” action and provide FIM with all of the current values at the time of import which FIM will use to override all the values that it has for that attribute.  So if we start with Sarah’s record as listed just above and add the phone number 555-987-6543 and remove the phone number 555-123-4567, we would have to pass: <br />
<table border="0" cellspacing="2" cellpadding="2" width="506"><tbody>
<tr> <td valign="top" width="128"> </td> <td valign="top" width="168" align="right"> ID: </td> <td valign="top" width="201">12345  </td> </tr>
<tr> <td valign="top" width="128"> </td> <td valign="top" width="168" align="right"> Type Of Change: </td> <td valign="top" width="201">Replace</td> </tr>
<tr> <td valign="top" width="128"> </td> <td valign="top" width="168" align="right"> Phone: </td> <td valign="top" width="201">555-987-6543</td> </tr>
<tr> <td valign="top" width="128"> </td> <td valign="top" width="168" align="right"> Phone: </td> <td valign="top" width="201">555-4567-7890</td> </tr>
</tbody></table><br />
As with attribute level updates, multi-valued level attribute update can greatly reduce the amount of work that FIM needs to accomplish.  To illustrate, just imagine applying this scenario to attributes like member on an AD group that can have thousands of values. <br />
  </li>
<li><font size="2">Using a multi-valued attribute in a delimited or fixed-width file requires the use of a header on the import file </font> <br />
<br />
So for a comma delimited file this would look like:  <br />
                                       ID, NAME, PHONE, PHONE, PHONE <br />
                                       12345, Sarah, 555-123-4567, 555-987-6543, 555-456-7890 <br />
<br />
This would import a record for Sarah with three attributes - ID, NAME and PHONE, the last of which will have three values. A fixed width file would work the same way. <br />
  </li>
<li><font size="2">While the DSML specifications themselves can actually handle attribute level updates using the addRequest, delRequest and modifyRequest operations, FIM only implements the ability to import a SearchResultEntry element which must contain all of the attributes on the object</font> <br />
<br />
Just a side note for those that might be curious, you can actually place the addRequest, delRequest and modifyRequest nodes in the DSML file.  FIM will be able to parse the file and it wont cause any errors, however these elements are completely ignored and aren’t processed by FIM.  I also tried sending a DSML delta to FIM with just the attribute that changed and a change type of “modify”, and I suppose not surprisingly, the object in the connector space was updated so that it only had the one attribute I specified,  all the other attributes originally on the object were removed. Had any of these attributes been defined as required, this update would have failed. <br />
  </li>
<li><font size="2">While you can import an update to a specific value in a multi-valued attribute, if you were to export this same change to an LDIF file, it will come through as a replace operation containing all values now present on the attribute</font> <br />
  </li>
<li><font size="2">While the SQL MA does not support updates to a specific value on a multi-valued attribute out of the box, I hear rumor that some customizations can be done to make this happen</font> </li>
</ol>Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com2tag:blogger.com,1999:blog-3265068911303773094.post-10655952889559200802011-04-22T16:22:00.001-07:002011-04-22T20:11:38.067-07:00Small Bug Found in MIIS/ILM/FIM Identity Manager UI….<p>Okay, so it’s so small its hardly worth mentioning.  However, if you happen to run into the error “no-start-file-open” when running an import/export step or see the following message when trying to browse to your files while configuring the import step, you may be a victim of this issue.</p> <p><a href="http://lh4.ggpht.com/_fcsn-2MxKvM/TbIPyHjta3I/AAAAAAAAAEs/4hAIt9qe6ZM/s1600-h/UIErrorMessage%5B7%5D.png"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top: 0px; border-right: 0px; padding-top: 0px" border="0" alt="UIErrorMessage" src="http://lh3.ggpht.com/_fcsn-2MxKvM/TbIPyfO_iAI/AAAAAAAAAEw/Fn7pdCT7YEM/UIErrorMessage_thumb%5B5%5D.png?imgmax=800" Title="Unable to get the list of files in the management agent's working directory." /></a></p> <p>The problem occurs when you have given your MA a name that ends in one or more periods (“.”).  While this is considered legal by the Identity Manager UI (FYI - Identity Manager will not allow periods at the beginning of the MA Name), the periods will get stripped off of the MaData folder automatically by Windows.  In my test case I named my MA “ma ,, test – with __special ,, characters – ..”, a bit excessive I know, but hey, I was testing.  However, my MaData folder actually turned out like:</p> <p><a href="http://lh3.ggpht.com/_fcsn-2MxKvM/TbIPy38lR1I/AAAAAAAAAE0/aXILxBY41wg/s1600-h/AddressBar%5B4%5D.png"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top: 0px; border-right: 0px; padding-top: 0px" title="AddressBar" border="0" alt="AddressBar" src="http://lh5.ggpht.com/_fcsn-2MxKvM/TbIPzBES8sI/AAAAAAAAAE4/Ro1JvZPJxbE/AddressBar_thumb%5B2%5D.png?imgmax=800" /></a></p> <p>You can see why ILM could then have a problem finding the files specified in the run profile since its using the MA Name to determine the file path (i.e. its looking for it in D:\Program Files\Microsoft Identity Integration Server\MAData\ma ,, test – with __special ,, characters – ..\).  Further proof that this is the case can be found in the Event Viewer:</p> <p><a href="http://lh6.ggpht.com/_fcsn-2MxKvM/TbIPzcXieZI/AAAAAAAAAE8/N59qCk4JCqk/s1600-h/EventViewer%5B3%5D.png"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top: 0px; border-right: 0px; padding-top: 0px" title="The management agent failed on run profile because the file could not be opened." border="0" alt="EventViewer" src="http://lh3.ggpht.com/_fcsn-2MxKvM/TbIPzncipwI/AAAAAAAAAFA/T28T3ZQjKuE/EventViewer_thumb%5B1%5D.png?imgmax=800" /></a></p> <p>The fix?  Simply open the MA properties in Identity Manager, remove any periods from the end of the MA name and it should begin working as expected.</p> Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com0tag:blogger.com,1999:blog-3265068911303773094.post-12670633111634993092011-04-21T20:31:00.000-07:002011-04-22T20:32:02.327-07:00Using Maexport To Import a Management Agent<p>Ever happen to see this little tidbit in the documentation for Identity Manager:</p> <p><a href="http://lh6.ggpht.com/_fcsn-2MxKvM/TbJIMOIHgFI/AAAAAAAAAFE/-sU_JXr1Yjs/s1600-h/Maexport%5B2%5D.png"><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top: 0px; border-right: 0px; padding-top: 0px" title="Maexport" border="0" alt="Maexport" src="http://lh4.ggpht.com/_fcsn-2MxKvM/TbJIMT4Iw-I/AAAAAAAAAFI/u2yx7xkqNlU/Maexport_thumb.png?imgmax=800" width="443" height="73" /></a></p> <p>You can find it under the heading Import a Management Agent from a File, and well, don’t believe it for a second!  Its currently not possible to import a Management Agent into Identity Manager using a command line tool.  For now, you will have to continue to use the UI.</p> Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com0tag:blogger.com,1999:blog-3265068911303773094.post-86446216468398586252010-04-11T12:25:00.001-07:002011-04-22T16:43:17.658-07:00XPath in FIM Sets<span xmlns="xmlns"> <p>Recently, while working with <a href="http://www.identitychaos.com/">Brad</a> on a FIM implementation, he told me about some issues he was having with the restrictions placed on the XPath used when building a new Set. Specifically, he wanted to be able to find people that were missing a specific attribute. This was a little tricky, but I finally came up with a solution for strings and another one for dates: <br /></p> <blockquote style="border-bottom: #7ba0cd 1px solid; border-left: #7ba0cd 1px solid; padding-bottom: 10px; padding-left: 5px; padding-right: 5px; background: #d3dfee; border-top: #7ba0cd 1px solid; border-right: #7ba0cd 1px solid; padding-top: 10px">/Person[not(starts-with(<AttributeNameOfTypeString>, ''))] <br /></blockquote> <blockquote style="border-bottom: #7ba0cd 1px solid; border-left: #7ba0cd 1px solid; padding-bottom: 10px; padding-left: 5px; padding-right: 5px; background: #d3dfee; border-top: #7ba0cd 1px solid; border-right: #7ba0cd 1px solid; padding-top: 10px">/Person[not(<AttributeNameOfTypeDateTime> &gt; '1900-01-01T00:00:00Z')] <br /></blockquote> <p>So, if you wanted to find everyone who was missing an AD Distinguished Name (ADDN) you would use the following filter to define the Set: <br /></p> <blockquote style="border-bottom: #7ba0cd 1px solid; border-left: #7ba0cd 1px solid; padding-bottom: 10px; padding-left: 5px; padding-right: 5px; background: #d3dfee; border-top: #7ba0cd 1px solid; border-right: #7ba0cd 1px solid; padding-top: 10px">/Person[not(starts-with(ADDN, ''))] <br /></blockquote> And if you wanted all of the Person objects missing a Termination Date (EmployeeEndDate): <br /> <blockquote style="border-bottom: #7ba0cd 1px solid; border-left: #7ba0cd 1px solid; padding-bottom: 10px; padding-left: 5px; padding-right: 5px; background: #d3dfee; border-top: #7ba0cd 1px solid; border-right: #7ba0cd 1px solid; padding-top: 10px">/Person[not(EmployeeEndDate &gt; '1900-01-01T00:00:00Z')] <br /></blockquote> <p>These examples are specific for the Person resource object, but this same logic could be used for any resource type in the FIM Portal.</p> <p>UPDATE:  In certain instances, the above XPath will actually return more items than you would expect.  Check out David’s blog post to <a href="http://blog.ilmbestpractices.com/2010/06/fim-sets-xpath-finding-nulls-with.html" target="_blank">find out why and what really works</a>. <br /></p> </span> Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com0tag:blogger.com,1999:blog-3265068911303773094.post-54507426957748877422009-11-16T09:21:00.000-08:002009-11-16T09:48:10.250-08:00The Missing ILM ExtensionWhile recently browsing the Microsoft.Metadirectory services namespace for ILM I discovered a new extension that I had not seen before. In addition to the 6 that I was familiar with:<br /><ul><li>IMAExtensibleCallExport</li><li>IMAExtensibleFileExport</li><li>IMAExtensibleFileImport</li><li>IMAPasswordManagement</li><li>IMASynchronization</li><li>IMVSynchronization</li></ul><p>There was a 7th that I had never hear of, the <strong>IMACalloutExtension</strong>. Curious, I began to investigate. The Extension implements the following methods:</p><blockquote style="background: #d3dfee; padding: 10px 5px; border: 1px solid #7ba0cd">public void BeginExportToCd(string connectTo, string user, string domain, string password)<br />{<br />}<br /><br />public void EndExportToCd()<br />{<br />}<br /><br />public void BeforeExportEntryToCd(string deltaEntryXml, string[] changedAttributes)<br />{<br />}<br /><br />public void AfterExportEntryToCd(byte[] origAnchor, string origDN, string origDeltaEntryXml, byte[] newAnchor, string newDN, string failedDeltaEntryXml, string errorMessage)<br />{<br />}</blockquote><p>The only documentation that I could find was within the interface definition itself. It appears that this extension was to be implemented using a new Management Agent of type "Callout" (or something similar) and gives the developer the ability to take action both before and after each entry export action, which could be extremely helpful. I haven't been able to find a roadmap for this feature, but it appears to be something we can look forward to in the future!</p>Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com1tag:blogger.com,1999:blog-3265068911303773094.post-10979746900395694342009-07-30T12:08:00.000-07:002011-06-08T15:08:52.052-07:00.NET Google SSO Part 2 of 2<span xmlns=''><p>This is the second in a series of articles discussing the implementation of an SSO application for Google Apps. The first <a href='http://www.apollojack.com/2009/03/net-google-sso-part-1-of-2.html'>.NET Google SSO Part 1 of 2</a> began the discussion by laying out the steps needed to handle the initial Authentication Request made by Google. This final piece will complete the package by illustrating the generation of the Authentication Response. <br />
</p><p style='text-align: center'><a href='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPyO-IVSm1Y5Ke9abCtvP4Kjwq1YvQ1ZnsbB_M-aVWgMcA5ND6S4gmbllewT-uMYtFnhlxhYFKKQDUEyRpcwRmoK3tVOsN8ETFzkMCsT0t2RI5txf0cgbRyXLmtMNi5NzsAPvYOJPJm2RQ/s1600-h/SSOProcess.jpg'><img border='0' alt='' src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPyO-IVSm1Y5Ke9abCtvP4Kjwq1YvQ1ZnsbB_M-aVWgMcA5ND6S4gmbllewT-uMYtFnhlxhYFKKQDUEyRpcwRmoK3tVOsN8ETFzkMCsT0t2RI5txf0cgbRyXLmtMNi5NzsAPvYOJPJm2RQ/s400/SSOProcess.jpg'/></a><br />
</p><p>Google will expect the Authentication Response to come back as a form posted to the AssertionConsumerServiceURL provided by Google in the inital request. The form needs to have at least two elements on it, a <textarea> named SAMLResponse and an <input> named RelayState. The RelayState element is the url to redirect the user to at Google once the response has been sent. This is usually the same as the RelayState that Google provided to you via the RelayState url parameter. <br />
<br />
Building the SAMLResponse is a little bit more involved. The SAMLResponse will contain the xml body of the AuthnResponse, which has the following format:<br />
</p><div><table border='0' style='border-collapse:collapse; background: #d3dfee' width='100%'><colgroup><col style='width:634px'/></colgroup><tbody valign='top'>
<tr><td style='padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: solid #7ba0cd 1.0pt; border-left: solid #7ba0cd 1.0pt; border-bottom: solid #7ba0cd 1.0pt; border-right: solid #7ba0cd 1.0pt' vAlign='middle'><p><span style='font-family:Courier New; font-size:10pt'><?xml version="1.0" encoding="UTF-8"?> <br />
<samlp:Response ID="RESPONSE_ID" IssueInstant="<span style='color:red'>ISSUE_INSTANT</span>" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"<br />
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><br />
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><br />
<SignedInfo><br />
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><br />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><br />
<Reference URI=""><br />
<Transforms><br />
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><br />
</Transforms><br />
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><br />
<DigestValue><span style='color:red'>DIGEST_VALUE</span></DigestValue><br />
</Reference><br />
</SignedInfo><br />
<SignatureValue><span style='color:red'>SIGNATURE_VALUE</span></SignatureValue><br />
<KeyInfo><br />
<KeyValue><br />
<RSAKeyValue><br />
<Modulus><span style='color:red'>RSA_KEY_MODULUS</span></Modulus><br />
<Exponent><span style='color:red'>RSA_KEY_EXPONENT</span></Exponent><br />
</RSAKeyValue><br />
</KeyValue><br />
</KeyInfo><br />
</Signature><br />
<samlp:Status><br />
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /><br />
</samlp:Status><br />
<Assertion ID="<span style='color:red'>ASSERTION_ID</span>" IssueInstant="<span style='color:red'>ISSUE_INSTANT</span>" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><br />
<Issuer>https://www.opensaml.org/IDP</Issuer><br />
<Subject><br />
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"><br />
<span style='color:red'>USERNAME_STRING<br />
</span> </NameID><br />
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><br />
<SubjectConfirmationData Recipient="<span style='color:red'>ACS_URL</span>" /><br />
</SubjectConfirmation><br />
</Subject><br />
<Conditions NotBefore="<span style='color:red'>NOT_BEFORE</span>" NotOnOrAfter="<span style='color:red'>NOT_ON_OR_AFTER</span>"><br />
</Conditions><br />
<AuthnStatement AuthnInstant="<span style='color:red'>AUTHN_INSTANT</span>"><br />
<AuthnContext><br />
<AuthnContextClassRef><br />
urn:oasis:names:tc:SAML:2.0:ac:classes:Password<br />
</AuthnContextClassRef><br />
</AuthnContext><br />
</AuthnStatement><br />
</Assertion><br />
</samlp:Response></span></p></td></tr>
</tbody></table></div><p>Where the items in red will need to be replaced with actual values before sending the response to Google. Here are some specs for those items:<br />
</p><div><table border='0' style='border-collapse:collapse' width='100%'><colgroup><col style='width:62px'/><col style='width:250px'/><col style='width:519px'/></colgroup><tbody valign='top'>
<tr style='background: #4f81bd'><td style='padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: solid white 1.0pt; border-left: solid white 1.0pt; border-bottom: solid white 3.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='color:white; font-family:Courier New; font-size:12pt' >Attribute</span></p></td><td style='padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: solid white 1.0pt; border-left: none; border-bottom: solid white 3.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='color:white; font-family:Courier New; font-size:12pt'>Description<strong> </strong></span></p></td><td style='padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: solid white 1.0pt; border-left: none; border-bottom: solid white 3.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='color:white; font-family:Courier New; font-size:12pt'>Examples<strong> </strong></span></p></td></tr>
<tr><td style='background: #4f81bd; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: solid white 1.0pt; border-bottom: solid white 0.75pt; border-right: solid white 3.0pt' vAlign='middle'><p><span style='color:white; font-family:Tahoma; font-size:10pt'>ASSERTION_ID</span> </p></td><td style='background: #a7bfde; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>A 160-bit string made up of randomly generated lower case alpha characters from a through p</span> </p></td><td style='background: #a7bfde; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='color:black; font-family:Verdana; font-size:10pt'>dfpccklacbmnmioodokleambcplpmfghahihdmna</span></p></td></tr>
<tr><td style='background: #4f81bd; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: solid white 1.0pt; border-bottom: solid white 1.0pt; border-right: solid white 3.0pt' vAlign='middle'><p><span style='color:white; font-family:Tahoma; font-size:10pt'>ISSUE_INSTANT</span> </p></td><td style='background: #d3dfee; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 0.75pt; border-right: solid white 0.75pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>Should be the current date and time in the format: <br />
yyyy-mm-ddThh:mm:ssZ</span></p></td><td style='background: #d3dfee; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 0.75pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>2000-01-01T23:01:01Z</span><br />
<span style='font-family:Tahoma; font-size:10pt'>2008-10-02T05:55:23Z</span> </p></td></tr>
<tr><td style='background: #4f81bd; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: solid white 1.0pt; border-bottom: solid white 0.75pt; border-right: solid white 3.0pt' vAlign='middle'><p><span style='color:white; font-family:Tahoma; font-size:10pt'>AUTHN_INSTANT</span> </p></td><td style='background: #a7bfde; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>Should be the current date and time in the format: <br />
yyyy-mm-ddThh:mm:ssZ</span></p></td><td style='background: #a7bfde; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>2000-01-01T23:01:01Z</span><br />
<span style='font-family:Tahoma; font-size:10pt'>2008-10-02T05:55:23Z</span> </p></td></tr>
<tr><td style='background: #4f81bd; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: solid white 1.0pt; border-bottom: solid white 1.0pt; border-right: solid white 3.0pt' vAlign='middle'><p><span style='color:white; font-family:Tahoma; font-size:10pt'>NOT_BEFORE</span> </p></td><td style='background: #d3dfee; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 0.75pt; border-right: solid white 0.75pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>This defines the beginning timeframe for which the authentication is valid. Should be the current date and time in the format: <br />
yyyy-mm-ddThh:mm:ssZ</span></p></td><td style='background: #d3dfee; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 0.75pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>2000-01-01T23:01:01Z</span><br />
<span style='font-family:Tahoma; font-size:10pt'>2008-10-02T05:55:23Z</span></p></td></tr>
<tr><td style='background: #4f81bd; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: solid white 1.0pt; border-bottom: solid white 0.75pt; border-right: solid white 3.0pt' vAlign='middle'><p><span style='color:white; font-family:Tahoma; font-size:10pt'>NOT_ON_OR_AFTER</span> </p></td><td style='background: #a7bfde; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>This defines the ending timeframe for which the authentication is valid. Should be the current date and time in the format: <br />
yyyy-mm-ddThh:mm:ssZ</span></p></td><td style='background: #a7bfde; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>2000-01-01T23:01:01Z</span><br />
<span style='font-family:Tahoma; font-size:10pt'>2008-10-02T05:55:23Z</span></p></td></tr>
<tr><td style='background: #4f81bd; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: solid white 1.0pt; border-bottom: solid white 1.0pt; border-right: solid white 3.0pt' vAlign='middle'><p><span style='color:white; font-family:Tahoma; font-size:10pt'>ACS_URL</span> </p></td><td style='background: #d3dfee; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 0.75pt; border-right: solid white 0.75pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>The URL to send the authentication result</span></p></td><td style='background: #d3dfee; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 0.75pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>https://www.google.com/a/yourCompany.com/acs</span></p></td></tr>
<tr><td style='background: #4f81bd; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: solid white 1.0pt; border-bottom: solid white 0.75pt; border-right: solid white 3.0pt' vAlign='middle'><p><span style='color:white; font-family:Tahoma; font-size:10pt'>USERNAME_STRING</span> </p></td><td style='background: #a7bfde; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>The username of the person validated</span> </p></td><td style='background: #a7bfde; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>jsmith<br />
</span>jon.smith </p></td></tr>
<tr><td style='background: #4f81bd; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: solid white 1.0pt; border-bottom: solid white 1.0pt; border-right: solid white 3.0pt' vAlign='middle'><p><span style='color:white; font-family:Tahoma; font-size:10pt'>DIGEST_VALUE</span> </p></td><td style='background: #d3dfee; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 0.75pt; border-right: solid white 0.75pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>The value of the digest of the Reference URI calculated using the algorithm listed in the DigestMethod</span></p></td><td style='background: #d3dfee; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 0.75pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>Qo9gKjwBgNtt6P07aIZmIPXP+uQ=</span></p></td></tr>
<tr><td style='background: #4f81bd; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: solid white 1.0pt; border-bottom: solid white 0.75pt; border-right: solid white 3.0pt' vAlign='middle'><p><span style='color:white; font-family:Tahoma; font-size:10pt'>SIGNATURE_VALUE</span> </p></td><td style='background: #a7bfde; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>The value of the digest of the SignedInfo Element calculated using the algorithm listed in the SignatureMethod</span></p></td><td style='background: #a7bfde; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>55khyrdDp0SgPmlu5dH49CAfASW2psDLhgjaB+Yl06pfxLJWnIctb7pX0K3k/vhNU8sUMY6Ps582CS6+YUPJps45U0i<br />
VDK/+PPZvFREOwDR54XSzXAPd7GZyk+jBdQZv6D/g5IgccIGiw3Zi9Qpfe64iewSFoRukvVUD0yGOfszA=</span></p></td></tr>
<tr><td style='background: #4f81bd; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: solid white 1.0pt; border-bottom: solid white 1.0pt; border-right: solid white 3.0pt' vAlign='middle'><p><span style='color:white; font-family:Tahoma; font-size:10pt'>RSA_KEY_MODULUS</span> </p></td><td style='background: #d3dfee; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 0.75pt; border-right: solid white 0.75pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>For use in the RSA encryption algorithm</span></p></td><td style='background: #d3dfee; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 0.75pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>K88ntfSyp1JU9Nu1KJwk+KKOuunT9G1RLwJXm6WrDb2klVGXLNKcP72lu5AlyGgYoZXO2bY2d610LE7kGol3Hu<br />
PKfOMLoKqO/m1etjBBhQnuc2aVL1vJjQiLV/KsCsgwocNIoGOF01ndlgJiazFUFf6IwFltNg/A1pz9I05kkj0=</span></p></td></tr>
<tr><td style='background: #4f81bd; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: solid white 1.0pt; border-bottom: solid white 1.0pt; border-right: solid white 3.0pt' vAlign='middle'><p><span style='color:white; font-family:Tahoma; font-size:10pt'>RSA_KEY_EXPONENT</span> </p></td><td style='background: #a7bfde; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>For use in the RSA encryption algorithm</span></p></td><td style='background: #a7bfde; padding-top: 1px; padding-left: 5px; padding-bottom: 1px; padding-right: 5px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Tahoma; font-size:10pt'>AQAB</span></p></td></tr>
</tbody></table></div><p>Here are the basic steps we need to take to create the AuthnResponse:<br />
</p><ol><li>Authenticate the user<br />
</li>
<li>Generate an xmlDocument object using the AuthnResponse Template<br />
</li>
<li>Fill in the AuthnResponse parameters <br />
</li>
<li>Create a new signedXml object based on the xmlDocument <br />
</li>
<li>Submit an html form with the InnerXml of the signedXml object and the RelayState<br />
</li>
</ol><p>If we continue with the project created using the first blog post, we currently have one item on our form, a label called lblError. You will need to add two text boxes, txtUser and txtPwd to allow the user to enter their credentials and a button, btnSubmit. Format the form to your liking, and then add some code to authenticate the user, this can be done against a directory, a database, etc. This example will authenticate a user against ADAM.<br />
</p><div><table border='0' style='border-collapse:collapse; background: #d3dfee' width='100%'><colgroup><col style='width:632px'/></colgroup><tbody valign='top'>
<tr><td style='padding-top: 1px; padding-left: 4px; padding-bottom: 1px; padding-right: 4px; border-top: solid #7ba0cd 1.0pt; border-left: solid #7ba0cd 1.0pt; border-bottom: solid #7ba0cd 1.0pt; border-right: solid #7ba0cd 1.0pt' vAlign='middle'><p><span style='font-family:Courier New; font-size:10pt'><span style='color:green'>// Class level vars</span><span style='color:#333333'><br />
</span><span style='color:blue'>string </span>googleUserName <span style='color:#333333'>= "";</span><span style='color:gray'><br />
<br />
///<summary></span></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:gray'>/// </span><span style='color:green'>Authenticate user and return the result</span></span><br />
<span style='color:gray; font-family:Courier New; font-size:10pt'>///</summary></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>protected bool</span> AuthenticateUser()</span><br />
<span style='font-family:Courier New; font-size:10pt'>{<br />
<span style='color:green'>// User parameters from the form</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>bool </span>authenticated =<span style='color:blue'> false;</span><br />
</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// User parameters from the form</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>string</span> user = Request.Params[<span style='color:maroon'>"txtUser"</span>];</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>string</span> password = Request.Params[<span style='color:maroon'>"txtPwd"</span>];</span><br />
<span style='font-family:Courier New; font-size:10pt'><br />
<span style='color:green'>// Variables</span><br />
SearchResult srPerson = <span style='color:blue'>null</span>;<br />
DirectorySearcher dSearch = <span style='color:blue'>null</span>;</span><br />
<span style='font-family:Courier New; font-size:10pt'> DirectoryEntry de = <span style='color:blue'>null</span>;</span><br />
<span style='font-family:Courier New; font-size:10pt'> DirectoryEntry deAdmin = <span style='color:blue'>null</span>;<br />
<span style='color:blue'>string</span> dn = <span style='color:maroon'>""</span>;<br />
</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Clear out our class level variable, googleUserName</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> googleUserName = <span style='color:maroon'>""</span>;</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>try</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>if</span> (!<span style='color:blue'>string</span>.IsNullOrEmpty(user) && !<span style='color:blue'>string</span>.IsNullOrEmpty(password))</span><br />
<span style='font-family:Courier New; font-size:10pt'> {<br />
<span style='color:green'>// All required params were not entered, throw an error</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// could also use some field validators to avoid this</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>throw new </span><span style='color:teal'>Exception</span>(<span style='color:maroon'>"Logon failure: unknown user name or bad password"</span>);</span><br />
<span style='font-family:Courier New; font-size:10pt'> }</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Get the users dn based on the user name used the form, so<br />
</span> <span style='color:green'>// that we can use it later with our bind test<br />
</span> dSearch = <span style='color:blue'>new</span> DirectorySearcher();<br />
dSearch.SearchScope = SearchScope.Subtree;<br />
dSearch.PropertiesToLoad.Add(<span style='color:maroon'>"distinguishedName"</span>);<br />
dSearch.SearchRoot = <span style='color:blue'>new</span> DirectoryEntry(<span style='color:maroon'>"LDAP://YourServer:389/C=YourRootPath"</span>, <span style='color:maroon'>"AdamAdminUser"</span>, <span style='color:maroon'>"AdamAdminPswd"</span>, <br />
AuthenticationTypes.Secure | AuthenticationTypes.ServerBind); <br />
dSearch.Filter = <span style='color:maroon'>"(userName="</span> + user + <span style='color:maroon'>")"</span>;<br />
srPerson = dSearch.FindOne();<span style='color:green'><br />
</span> dn = srPerson == <span style='color:blue'>null</span> ? <span style='color:blue'>null</span> : srPerson.Properties[<span style='color:maroon'>"distinguishedName"</span>][0].ToString();</span><br />
<span style='font-family:Courier New; font-size:10pt'> </span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>if</span> (!<span style='color:blue'>string</span>.IsNullOrEmpty(dn))</span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Get the directory entry, using the users credentials to bind</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> de = <span style='color:blue'>new</span> DirectoryEntry(<span style='color:maroon'>"LDAP://YourServer:389/C=YourRootPath"</span>, dn, password, <br />
AuthenticationTypes.ServerBind | AuthenticationTypes.FastBind);</span><br />
<span style='font-family:Courier New; font-size:10pt'> </span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Get the native object to force authentication, an error will be throw here<br />
</span> <span style='color:green'>// if the wrong credentials were given, this will be captured below and the user will be notified</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>object</span> bind = de.NativeObject;</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// They have authenticated okay, we are now assuming that their google user name<br />
</span> <span style='color:green'>// is different than their ADAM login name, we need to get it for use later</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// we cant use the above object to get the data because we had to issue our connection<br />
</span> <span style='color:green'>// using the fast bind option, get a new handle on the object using<br />
</span> <span style='color:green'>// admin credentials and the secure auth type</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> deAdmin = <span style='color:blue'>new</span> DirectoryEntry(<span style='color:maroon'>"LDAP://YourServer:389/"</span> + dn, <span style='color:maroon'>"AdamAdminUser"</span>, <span style='color:maroon'>"AdamAdminPswd"</span>, <br />
AuthenticationTypes.ServerBind | AuthenticationTypes.Secure);</span><br />
<span style='font-family:Courier New; font-size:10pt'> deAdmin.RefreshCache(<span style='color:blue'>new string</span>[] { <span style='color:maroon'>"googleUserName"</span> });</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// If googleUserName is an email address, we just want what comes before the @ symbol</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> googleUserName = deAdmin.Properties.Contains(<span style='color:maroon'>"googleUserName"</span>) ? <br />
deAdmin.Properties[<span style='color:maroon'>"googleUserName"</span>][0].ToString() : <span style='color:maroon'>""</span>;</span><br />
<span style='font-family:Courier New; font-size:10pt'> googleUserName = googleUserName.IndexOf(<span style='color:maroon'>"@"</span>) > 0 ? <br />
googleUserName.Substring(0, googleUserName.IndexOf(<span style='color:maroon'>"@"</span>)) : googleUserName;</span><br />
<span style='font-family:Courier New; font-size:10pt'> <br />
<span style='color:green'>// We didn't get what we expected throw an error</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>if</span> (googleUserName == <span style='color:maroon'>""</span>)</span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>throw new </span><span style='color:teal'>Exception</span>(<span style='color:maroon'>"Logon failure: unable to retrieve your Google username"</span>);</span><br />
<span style='font-family:Courier New; font-size:10pt'> }<br />
<span style='color:blue'>else</span><br />
{<br />
authenticated = <span style='color:blue'>true</span>;<br />
} </span><br />
<span style='font-family:Courier New; font-size:10pt'> }</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>else<br />
</span> {<br />
<span style='color:green'>// We cant continue without a dn</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>throw new </span><span style='color:teal'>Exception</span>(<span style='color:maroon'>"Logon failure: unknown user name or bad password"</span>);</span><br />
<span style='font-family:Courier New; font-size:10pt'> }</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> }</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>catch</span>(<span style='color:teal'>Exception</span> ex)</span><br />
<span style='font-family:Courier New; font-size:10pt'> {<br />
<span style='color:green'>// Let user know there was a problem</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> lblError.Text = ex.Message;</span><br />
<span style='font-family:Courier New; font-size:10pt'> }</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>finally</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Clean up<br />
</span> <span style='color:blue'>if</span> (dSearch!= <span style='color:blue'>null</span>)</span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='font-family:Courier New; font-size:10pt'> dSearch.Dispose();</span><br />
<span style='font-family:Courier New; font-size:10pt'> }<br />
<br />
<span style='color:blue'>if</span> (de != <span style='color:blue'>null</span>)</span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='font-family:Courier New; font-size:10pt'> de.Dispose();</span><br />
<span style='font-family:Courier New; font-size:10pt'> }</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>if</span> (deAdmin != <span style='color:blue'>null</span>)</span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='font-family:Courier New; font-size:10pt'> deAdmin.Dispose();</span><br />
<span style='font-family:Courier New; font-size:10pt'> }</span><br />
<span style='font-family:Courier New; font-size:10pt'> }</span><br />
<span style='font-family:Courier New; font-size:10pt'>}</span></p></td></tr>
</tbody></table></div><p>Now that our user is authenticated and we have their Google UserName, the next step is to generate an xmlDocument object using the AuthnResponse template. The template that we need is similar to the AuthnResponse shown above, with one very important difference; we don't want the <Signature> element or its children. We will be adding this using the signedXml object later. Create an xml file named AuthnResponseTemplate in your project directory. Copy in the AuthnResponse xml below and save the document.<br />
</p><div><table border='0' style='border-collapse:collapse; background: #d3dfee' width='100%'><colgroup><col style='width:638px'/></colgroup><tbody valign='top'>
<tr><td style='padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: solid #7ba0cd 1.0pt; border-left: solid #7ba0cd 1.0pt; border-bottom: solid #7ba0cd 1.0pt; border-right: solid #7ba0cd 1.0pt' vAlign='middle'><p><span style='font-family:Courier New; font-size:10pt'><?xml version="1.0" encoding="UTF-8"?> <br />
<samlp:Response ID="RESPONSE_ID" IssueInstant="<span style='color:red'>ISSUE_INSTANT</span>" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"<br />
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><br />
<samlp:Status><br />
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /><br />
</samlp:Status><br />
<Assertion ID="<span style='color:red'>ASSERTION_ID</span>" IssueInstant="<span style='color:red'>ISSUE_INSTANT</span>" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><br />
<Issuer>https://www.opensaml.org/IDP</Issuer><br />
<Subject><br />
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"><br />
<span style='color:red'>USERNAME_STRING<br />
</span> </NameID><br />
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><br />
<SubjectConfirmationData Recipient="<span style='color:red'>ACS_URL</span>" /><br />
</SubjectConfirmation><br />
</Subject><br />
<Conditions NotBefore="<span style='color:red'>NOT_BEFORE</span>" NotOnOrAfter="<span style='color:red'>NOT_ON_OR_AFTER</span>"><br />
</Conditions><br />
<AuthnStatement AuthnInstant="<span style='color:red'>AUTHN_INSTANT</span>"><br />
<AuthnContext><br />
<AuthnContextClassRef><br />
urn:oasis:names:tc:SAML:2.0:ac:classes:Password<br />
</AuthnContextClassRef><br />
</AuthnContext><br />
</AuthnStatement><br />
</Assertion><br />
</samlp:Response></span></p></td></tr>
</tbody></table></div><p>We will now add code to consume this new file and replace the elements in red with proper values:<br />
</p><div><table border='0' style='border-collapse:collapse; background: #d3dfee' width='100%'><colgroup><col style='width:638px'/></colgroup><tbody valign='top'>
<tr><td style='padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: solid #7ba0cd 1.0pt; border-left: solid #7ba0cd 1.0pt; border-bottom: solid #7ba0cd 1.0pt; border-right: solid #7ba0cd 1.0pt' vAlign='middle'><p><span style='color:gray; font-family:Courier New; font-size:10pt'>///<summary></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:gray'>/// </span><span style='color:green'>Create our xml SAML Response base on the template</span></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:gray'>///</summary></span><span style='color:blue'><br />
private string</span> CreateSamlResponse() </span><br />
<span style='font-family:Courier New; font-size:10pt'>{<br />
<span style='color:green'>// Grab our response template</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>string</span> filepath = Request.PhysicalApplicationPath + (<span style='color:maroon'>"AuthnResponseTemplate.xml"</span>);</span><br />
<span style='font-family:Courier New; font-size:10pt'> XmlDocument doc = <span style='color:blue'>new</span> XmlDocument();</span><br />
<span style='font-family:Courier New; font-size:10pt'> doc.PreserveWhitespace = <span style='color:blue'>true</span>;</span><br />
<span style='font-family:Courier New; font-size:10pt'> doc.Load(filepath);</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>string</span> samlResponse = doc.InnerXml;</span> <br />
<span style='font-family:Courier New; font-size:10pt'><br />
<span style='color:green'>// Get our IDs and make sure that they arent the same (timing)</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>string</span> responseID = CreateID();</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>string</span> assertionID = CreateID();</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>while</span> (responseID == assertionID)</span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='font-family:Courier New; font-size:10pt'> assertionID = CreateID();</span><br />
<span style='font-family:Courier New; font-size:10pt'> }</span> <br />
<span style='font-family:Courier New; font-size:10pt'><br />
<span style='color:green'>// Fill out out our template</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> samlResponse = samlResponse.Replace(<span style='color:maroon'>"USERNAME_STRING"</span>, googleUserName);</span><br />
<span style='font-family:Courier New; font-size:10pt'> samlResponse = samlResponse.Replace(<span style='color:maroon'>"RESPONSE_ID"</span>, responseID);</span><br />
<span style='font-family:Courier New; font-size:10pt'> samlResponse = samlResponse.Replace(<span style='color:maroon'>"ISSUE_INSTANT"</span>, GetDateAndTime(0, 0));</span><br />
<span style='font-family:Courier New; font-size:10pt'> samlResponse = samlResponse.Replace(<span style='color:maroon'>"AUTHN_INSTANT"</span>, GetDateAndTime(0, 1));</span><br />
<span style='font-family:Courier New; font-size:10pt'> samlResponse = samlResponse.Replace(<span style='color:maroon'>"NOT_BEFORE"</span>, GetRequestAttributes(requestXmlString, <span style='color:maroon'>"IssueInstant"</span>));</span><br />
<span style='font-family:Courier New; font-size:10pt'> samlResponse = samlResponse.Replace(<span style='color:maroon'>"NOT_ON_OR_AFTER"</span>, GetDateAndTime(1, 0););</span><br />
<span style='font-family:Courier New; font-size:10pt'> samlResponse = samlResponse.Replace(<span style='color:maroon'>"ASSERTION_ID"</span>, assertionID);</span><br />
<span style='font-family:Courier New; font-size:10pt'> samlResponse = samlResponse.Replace(<span style='color:maroon'>"ACS_URL"</span>, GetRequestAttributes(requestXmlString, <span style='color:maroon'>"AssertionConsumerServiceURL"</span>));</span><br />
<span style='font-family:Courier New; font-size:10pt'> </span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>return</span> samlResponse;</span> <br />
<span style='font-family:Courier New; font-size:10pt'>}<br />
<br />
<span style='color:gray'>///<summary></span></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:gray'>/// </span><span style='color:green'>Generate a random set of alpha characters <br />
</span><span style='color:gray'>///</span><span style='color:green'> appropriate for our SAML IDs</span></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:gray'>///</summary></span><span style='color:blue'><br />
public static</span> <span style='color:blue'>string</span> CreateID() </span><br />
<span style='font-family:Courier New; font-size:10pt'>{</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:teal'>Random</span> random = <span style='color:blue'>new </span><span style='color:teal'>Random</span>();</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>char</span>[] charMapping = {<span style='color:maroon'>'a'</span>, <span style='color:maroon'>'b'</span>, <span style='color:maroon'>'c'</span>, <span style='color:maroon'>'d'</span>, <span style='color:maroon'>'e'</span>, <span style='color:maroon'>'f'</span>, <span style='color:maroon'>'g'</span>, <span style='color:maroon'>'h'</span>, <span style='color:maroon'>'i'</span>, <span style='color:maroon'>'j'</span>, <span style='color:maroon'>'k'</span>, <span style='color:maroon'>'l'</span>, <span style='color:maroon'>'m'</span>, <span style='color:maroon'>'n'</span>, <span style='color:maroon'>'o'</span>, <span style='color:maroon'>'p'</span>};</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>byte</span>[] bytes = <span style='color:blue'>new byte</span>[20]; <span style='color:green'>// 160 bits</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> random.NextBytes(bytes);</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>char</span>[] chars = <span style='color:blue'>new char</span>[40];</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>for</span> (<span style='color:blue'>int</span> i = 0; i < bytes.Length; i++) </span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>int</span> left = (bytes[i] >> 4) & 0x0f;</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>int</span> right = bytes[i] & 0x0f;</span><br />
<span style='font-family:Courier New; font-size:10pt'> chars[i * 2] = charMapping[left];</span><br />
<span style='font-family:Courier New; font-size:10pt'> chars[i * 2 + 1] = charMapping[right];</span><br />
<span style='font-family:Courier New; font-size:10pt'> }</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>string</span> id = <span style='color:blue'>new string</span>(chars);</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>return</span> id;</span><br />
<span style='font-family:Courier New; font-size:10pt'>}<br />
<br />
<span style='color:gray'>///<summary></span></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:gray'>/// </span><span style='color:green'>Create a datetime string in the appropriate SAML format</span></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:gray'>///</summary></span><span style='color:blue'><br />
public static</span> <span style='color:blue'>string</span> GetDateAndTime(<span style='color:blue'>int</span> days, <span style='color:blue'>int</span> minutes) </span><br />
<span style='font-family:Courier New; font-size:10pt'>{</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:teal'>DateTime</span> dt = <span style='color:teal'>DateTime</span>.Now;</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>if</span> (days > 0)</span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='font-family:Courier New; font-size:10pt'> dt = dt.AddDays(days);</span><br />
<span style='font-family:Courier New; font-size:10pt'> }</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>if</span> (minutes > 0)</span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='font-family:Courier New; font-size:10pt'> dt = dt.AddMinutes(minutes);</span><br />
<span style='font-family:Courier New; font-size:10pt'> }</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>return</span> dt.ToString(<span style='color:maroon'>"yyyy-MM-dd"</span>) + <span style='color:maroon'>'T'</span> + dt.ToString(<span style='color:maroon'>"HH:mm:ss"</span>) + <span style='color:maroon'>'Z'</span>;</span><br />
<span style='font-family:Courier New; font-size:10pt'>}<br />
<br />
<span style='color:gray'>///<summary></span></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:gray'>/// </span><span style='color:green'>Get the specified attribute value from the SAMLRequest</span></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:gray'>///</summary></span><span style='color:blue'><br />
private string</span> GetRequestAttributes(<span style='color:blue'>string</span> xmlString, <span style='color:blue'>string</span> attribute) </span><br />
<span style='font-family:Courier New; font-size:10pt'>{</span><br />
<span style='font-family:Courier New; font-size:10pt'> XmlDocument doc = <span style='color:blue'>new</span> XmlDocument();</span><br />
<span style='font-family:Courier New; font-size:10pt'> doc.LoadXml(xmlString);</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>if</span> (doc != <span style='color:blue'>null</span>) </span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>return</span> doc.DocumentElement.GetAttribute(attribute).ToString(); </span><br />
<span style='font-family:Courier New; font-size:10pt'> }</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>else</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>throw new</span> <span style='color:teal'>Exception</span>(<span style='color:maroon'>"Error parsing AuthnRequest XML: Null document"</span>);</span><br />
<span style='font-family:Courier New; font-size:10pt'> }</span><br />
<span style='font-family:Courier New; font-size:10pt'>}</span></p></td></tr>
</tbody></table></div><p>Next, we will be adding the xml signature. Be sure to update the file path to the x509 cert used for signing the xml. This certificate <span style='text-decoration:underline'>must</span> contain the private key:<br />
</p><div><table border='0' style='border-collapse:collapse; background: #d3dfee' width='100%'><colgroup><col style='width:638px'/></colgroup><tbody valign='top'>
<tr><td style='padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: solid #7ba0cd 1.0pt; border-left: solid #7ba0cd 1.0pt; border-bottom: solid #7ba0cd 1.0pt; border-right: solid #7ba0cd 1.0pt' vAlign='middle'><p><span style='color:gray; font-family:Courier New; font-size:10pt'>///<summary></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:gray'>/// </span><span style='color:green'>Sign the AuthnResponse xml adding the Signature element</span></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:gray'>///</summary></span><span style='color:blue'><br />
private string</span> SignResponse(<span style='color:blue'>string</span> xmlDocString)</span><br />
<span style='font-family:Courier New; font-size:10pt'>{</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Get our pfx cert w/private and public keys<br />
</span> <span style='color:green'>// we have the document on the file system, but you could also</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// get it from the certificate store</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// this is the same cert (with public keys only) that was provided </span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// to Google during the SSO set-up</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> X509Certificate2 x509 = <span style='color:blue'>new</span> X509Certificate2();</span><br />
<span style='font-family:Courier New; font-size:10pt'> x509.Import("<span style='color:maroon'>C:\FilePathToGoogleCert\Cert.pfx</span>");</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Create a new RSA signing key </span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:teal'>RSACryptoServiceProvider</span> rsaKey = <span style='color:blue'>new </span><span style='color:teal'>RSACryptoServiceProvider</span>();</span><br />
<span style='font-family:Courier New; font-size:10pt'> rsaKey = (<span style='color:teal'>RSACryptoServiceProvider</span>) x509.PrivateKey;</span> <br />
<span style='font-family:Courier New; font-size:10pt'><br />
<span style='color:green'>// Load our xml into a doc</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> XmlDocument doc = <span style='color:blue'>new</span> XmlDocument();</span><br />
<span style='font-family:Courier New; font-size:10pt'> doc.PreserveWhitespace = <span style='color:blue'>true</span>;</span><br />
<span style='font-family:Courier New; font-size:10pt'> doc.LoadXml(xmlDocString);</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Sign the XML document. </span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Create a SignedXml object.</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> SignedXml signedXml = <span style='color:blue'>new</span> SignedXml(doc);</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Add the key to the SignedXml document.</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> signedXml.SigningKey = rsaKey;</span><br />
<span style='font-family:Courier New; font-size:10pt'> </span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Add KeyInfo </span></span><br />
<span style='font-family:Courier New; font-size:10pt'> KeyInfo keyInfo = <span style='color:blue'>new</span> KeyInfo();</span><br />
<span style='font-family:Courier New; font-size:10pt'> keyInfo.AddClause(<span style='color:blue'>new</span> RSAKeyValue(rsaKey));</span><br />
<span style='font-family:Courier New; font-size:10pt'> signedXml.KeyInfo = keyInfo;</span><br />
<span style='font-family:Courier New; font-size:10pt'> </span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Create a reference to be signed.</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> Reference reference = <span style='color:blue'>new</span> Reference();</span><br />
<span style='font-family:Courier New; font-size:10pt'> reference.Uri = <span style='color:maroon'>""</span>;</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Add an enveloped transformation to the reference.</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> XmlDsigEnvelopedSignatureTransform env = <span style='color:blue'>new</span> XmlDsigEnvelopedSignatureTransform();</span><br />
<span style='font-family:Courier New; font-size:10pt'> reference.AddTransform(env);</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Add the reference to the SignedXml object.</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> signedXml.AddReference(reference);</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Compute the signature.</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> signedXml.ComputeSignature();</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Get the XML representation of the signature and save</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// it to an XmlElement object.</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> XmlElement xmlDigitalSignature = signedXml.GetXml();</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Append the element to the XML document.</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> doc.DocumentElement.InsertBefore(doc.ImportNode(xmlDigitalSignature, <span style='color:blue'>true</span>), doc.DocumentElement.FirstChild);</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>return</span> doc.InnerXml.Trim(); </span><br />
<span style='font-family:Courier New; font-size:10pt'>}</span></p></td></tr>
</tbody></table></div><p>Finally, we will bring it all together in the submit button on_click event handler and generate the html form with the SAMLResponse and RelayState and send it on to Google:<br />
</p><div><table border='0' style='border-collapse:collapse; background: #d3dfee' width='100%'><colgroup><col style='width:638px'/></colgroup><tbody valign='top'>
<tr><td style='padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: solid #7ba0cd 1.0pt; border-left: solid #7ba0cd 1.0pt; border-bottom: solid #7ba0cd 1.0pt; border-right: solid #7ba0cd 1.0pt' vAlign='middle'><p><span style='color:gray; font-family:Courier New; font-size:10pt'>///<summary></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:gray'>/// </span><span style='color:green'>Handle the submit button click event, authenticate the user,<br />
</span><span style='color:gray'>///</span><span style='color:green'> then create the response and submit it to Google</span></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:gray'>///</summary></span><span style='color:blue'><br />
protected void</span> btnSubmit_Click(<span style='color:blue'>object</span> sender, System.<span style='color:teal'>EventArgs</span> e)</span><br />
<span style='font-family:Courier New; font-size:10pt'>{</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Authenticate user</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>if</span> (AuthenticateUser())<br />
{</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Get our SAMLResponse and sign it</span><br />
<span style='color:blue'>string</span> samlResponse = CreateSamlResponse();</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>string</span> signedResponse = SignResponse(samlResponse);</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>string</span> formName = "<span style='color:maroon'>authnResponse</span>"; </span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>string</span> acsUrl = GetRequestAttributes(requestXmlString, <span style='color:maroon'>"AssertionConsumerServiceURL"</span>);<br />
<br />
<span style='color:green'>// Write the http response in such a way that the html document</span><br />
<span style='color:green'>// will submit a form with our data on it to the requestor</span></span> <br />
<span style='font-family:Courier New; font-size:10pt'> System.Web.HttpContext.Current.Response.Clear();</span><br />
<span style='font-family:Courier New; font-size:10pt'> System.Web.HttpContext.Current.Response.Write("<span style='color:maroon'><html><head/></span>");</span><br />
<span style='font-family:Courier New; font-size:10pt'> System.Web.HttpContext.Current.Response.Write(<span style='color:blue'>string</span>.Format("<span style='color:maroon'><body onload='document.{0}.submit()'></span>", <br />
formName));</span><br />
<span style='font-family:Courier New; font-size:10pt'> System.Web.HttpContext.Current.Response.Write(<span style='color:blue'>string</span>.Format("<span style='color:maroon'><form name='{0}' method='post' action='{1}'></span>", <br />
formName, acsUrl));</span><br />
<span style='font-family:Courier New; font-size:10pt'> System.Web.HttpContext.Current.Response.Write(<span style='color:blue'>string</span>.Format("<span style='color:maroon'><textarea name=\"{0}\" style='visibility:hidden'>{1}</textarea></span>", <br />
"<span style='color:maroon'>SAMLResponse</span>", signedResponse));</span><br />
<span style='font-family:Courier New; font-size:10pt'> System.Web.HttpContext.Current.Response.Write(<span style='color:blue'>string</span>.Format("<span style='color:maroon'><input name=\"{0}\" type=\"hidden\" value=\"{1}\"></span>", <br />
"<span style='color:maroon'>RelayState</span>", Request.Params["<span style='color:maroon'>RelayState</span>"]));</span><br />
<span style='font-family:Courier New; font-size:10pt'> System.Web.HttpContext.Current.Response.Write("<span style='color:maroon'></form></span>");</span><br />
<span style='font-family:Courier New; font-size:10pt'> System.Web.HttpContext.Current.Response.Write("<span style='color:maroon'></body></html></span>");</span><br />
<span style='font-family:Courier New; font-size:10pt'> System.Web.HttpContext.Current.Response.End();</span> <br />
<span style='font-family:Courier New; font-size:10pt'> }<br />
}</span></p></td></tr>
</tbody></table></div><p>That should do it! The user will then be allowed into their Google account.</p></span>Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com5tag:blogger.com,1999:blog-3265068911303773094.post-10357349245188954192009-06-18T11:03:00.001-07:002009-07-30T09:00:39.597-07:00Invalid provider type specified<span xmlns=''><p>I recently had the need to encrypt some items in an application configuration file to secure some account passwords that were being stored there. After consulting with <a href='http://www.identitychaos.com/'>Brad Turner</a>, we decided to use an x509 certificate to provide the public and private keys needed for RSA encryption. He requested one from our local certificate authority for this purpose and placed it in the machine store. I was able to easily retrieve the cert and encrypt the data, however, I ran into some issues attempting to use it for decryption. While trying to do an explicit conversion from the <a href='http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.privatekey.aspx'>x509Certificate2.PrivateKey</a> property to an <a href='http://msdn.microsoft.com/en-us/library/system.security.cryptography.rsacryptoserviceprovider.aspx'>RSACryptoServiceProvider</a> object:<br /></p><p> <span style='font-family:Courier New; font-size:10pt'>RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)x509.PrivateKey;<br /></span></p><p>I received an "Invalid provider type specified" error. I was unable to find anything related to this specific problem online, however, we were able to surmize that the error was refering to the <a href='http://msdn.microsoft.com/en-us/library/aa380244(VS.85).aspx'>cryptographic provider type</a> used to create the certificate. Based on some previous experience, Brad knew that the new v3 template for certificates on Windows 2008 server can cause some issues for older technologies. After creating a new certificate using an older template (v2), this error was no longer an issue. This may be fixed with the 4.0 Framework, but be aware, if you are using 3.5 or older, you may run into this problem.</p></span>Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com5tag:blogger.com,1999:blog-3265068911303773094.post-45340980010966461192009-04-19T16:31:00.001-07:002009-04-19T16:34:02.183-07:00Cannot connect to MMS WMI Service<span xmlns=''><p>Having trouble with the WMI service for MIIS/ILM? Try running the following commands at a command prompt:<br /></p><ol><li>regsvr32 "C:\Program Files\Microsoft Identity Integration Server\Bin\mmswmi.dll"<br /></li><li>mofcomp -N:root\MicrosoftIdentityIntegrationServer "C:\Program Files\Microsoft Identity Integration Server\Bin\mmswmi.mof"<br /></li></ol><p>This will re-register the libraries with the OS. Give the WMI call another try, if you continue to have problems with an Access Denied error…<br /></p><ol><li>Open the Component Services Console in the Administrative Tools Folder. <br /></li><li>Navigate to Console Root, Computers, My Computer, DCOM Config and then Microsoft Metadirectory Services. <br /></li><li>Right click on the application entry and select Properties. <br /></li><li>Go to the security tab and alter any security necessary. <br /></li><li>Click OK on the Application Properties page and close out the Component Services and Computer Management Consoles. </li></ol></span>Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com0tag:blogger.com,1999:blog-3265068911303773094.post-88861195109163419792009-04-05T13:54:00.001-07:002009-04-11T10:47:50.595-07:00A Small MIIStake<span xmlns=''><p>Okay, so to be fair the issue is actually with ILM (Version 3.3.118.0). In the previous version, MIIS 3.2.559.0, I would frequently run MAs from the Operations tab, like so... From the Operations tab, right click on the MA run of interest, and select the Run… option:<br /></p><p><center><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOzb2L53X6AWJLIsWJabTrFN6WolUBY5xbtCzZTxtG7zn2NnBtIPEzdD_TptTFBD11kMOp4fHyk_DKfyVErQvOomXCdjTOi2xUGKsvHNjNzGIA83x_5PDQT7U3IdNIcsRF7xI-v-fS0x9e/s1600-h/MIIS+Run+From+Operations+-+Step+1.jpg"><img style="cursor:pointer; cursor:hand;width: 400px; height: 294px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOzb2L53X6AWJLIsWJabTrFN6WolUBY5xbtCzZTxtG7zn2NnBtIPEzdD_TptTFBD11kMOp4fHyk_DKfyVErQvOomXCdjTOi2xUGKsvHNjNzGIA83x_5PDQT7U3IdNIcsRF7xI-v-fS0x9e/s400/MIIS+Run+From+Operations+-+Step+1.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5323489023355394322" /></a></center><br /></p><p>The resulting Run Management Agent window would then pre-populate the Management agent drop-down box and the Run profile list box with the same values as the original operation selected. Simply click OK and the selected run would be restarted (which makes it really easy to re-run a particular profile):<br /></p><p><center><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3err-EnuBWtH5-WkTZ1SaBUJ80LxlEZtY0MaBRXA7LGwvgu54GAfQmqELJn2UM7xhRb0H4bQP-kovnpNg4G4N0TYwFHrXVYdwfE69ELKUev0FwDKA7zwZTea966foupMK0yN0Aq-oTJtD/s1600-h/MIIS+Run+From+Operations+-+Step+2_1.jpg"><img style="cursor:pointer; cursor:hand;width: 400px; height: 295px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3err-EnuBWtH5-WkTZ1SaBUJ80LxlEZtY0MaBRXA7LGwvgu54GAfQmqELJn2UM7xhRb0H4bQP-kovnpNg4G4N0TYwFHrXVYdwfE69ELKUev0FwDKA7zwZTea966foupMK0yN0Aq-oTJtD/s400/MIIS+Run+From+Operations+-+Step+2_1.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5323491055336450050" /></a></center><br /></p><p>Now if you attempt to do follow this same procedure in ILM…<br /></p><p><center><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqIAQk9TWHlUP7jA-cPsmsRo8HYPRnSYVC_9rmcZ57u48RpTSUOQTDSkdAiJbAC47sCAVjckLcqHWYwZqk5kPrVeD6GkmLheDDO1cAoBo-DocpWCxeMHLj-d9EINmnciulFu-b4wDthsC2/s1600-h/MIIS+Run+From+Operations+-+Step+1_2.JPG"><img style="cursor:pointer; cursor:hand;width: 400px; height: 306px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqIAQk9TWHlUP7jA-cPsmsRo8HYPRnSYVC_9rmcZ57u48RpTSUOQTDSkdAiJbAC47sCAVjckLcqHWYwZqk5kPrVeD6GkmLheDDO1cAoBo-DocpWCxeMHLj-d9EINmnciulFu-b4wDthsC2/s400/MIIS+Run+From+Operations+-+Step+1_2.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5323490504962792466" /></a></center><br /></p><p>The drop down menu is not automatically set to the MA selected. If you are used to being able to simply click the OK button from this dialog, you may inadvertently run the wrong MA. In fact you can see where I ran an ADAM MA by accident in the middle of the test MA series of runs:<br /></p><p><center><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSLI1vVb645dQunfSFXMAO4THsaTvvUBjYfyz2fGcbhM3mrW5PuX703cFft0z0mqiCNOqfO3Xr-xUiA0tRge3EkKLgM1yzlcO_FzkBrZdkK9kJ2OSQ_Gj-fgYfZrrD75nLfQUttEktxOgu/s1600-h/MIIS+Run+From+Operations+-+Step+2.JPG"><img style="cursor:pointer; cursor:hand;width: 400px; height: 307px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSLI1vVb645dQunfSFXMAO4THsaTvvUBjYfyz2fGcbhM3mrW5PuX703cFft0z0mqiCNOqfO3Xr-xUiA0tRge3EkKLgM1yzlcO_FzkBrZdkK9kJ2OSQ_Gj-fgYfZrrD75nLfQUttEktxOgu/s400/MIIS+Run+From+Operations+-+Step+2.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5323489135480770914" /></a></center><br /></p><p>So the bad news, for those of you using the current version of ILM, get use to using the drop-down menu to select the MA you want to run. The good news… this is a planned fix in a future hotfix! Not sure which one, or when. Anyone out there know?</p></span>Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com0tag:blogger.com,1999:blog-3265068911303773094.post-64133973545918108492009-03-27T20:56:00.001-07:002011-04-22T20:47:05.634-07:00.NET Google SSO Part 1 of 2<span xmlns=''><p>Creating an SSO for Google can be a bit of a challenge. There are quite a few good examples for doing this in Java, but not as many for .NET. Here is my attempt to resolve that issue. This article will be broken up into two parts, the first of these is handling the authentication request from Google, the second of these will illustrate the response generation.<br />
</p><p>Let's start by getting a good overview of the design. The entire process will begin when the end-user tries to access their Google Account. If the <a href='http://www.google.com/a/'>Google Apps</a> service has been configured to use SSO, Google will generate an Authentication Request and send it on for you to handle in your SSO. It is then up to you to perform user authentication and generate a signed Authentication Response to send back to Google. <br />
</p><p style='text-align: center'><a href='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPyO-IVSm1Y5Ke9abCtvP4Kjwq1YvQ1ZnsbB_M-aVWgMcA5ND6S4gmbllewT-uMYtFnhlxhYFKKQDUEyRpcwRmoK3tVOsN8ETFzkMCsT0t2RI5txf0cgbRyXLmtMNi5NzsAPvYOJPJm2RQ/s1600-h/SSOProcess.jpg'><img border='0' alt='' src='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPyO-IVSm1Y5Ke9abCtvP4Kjwq1YvQ1ZnsbB_M-aVWgMcA5ND6S4gmbllewT-uMYtFnhlxhYFKKQDUEyRpcwRmoK3tVOsN8ETFzkMCsT0t2RI5txf0cgbRyXLmtMNi5NzsAPvYOJPJm2RQ/s400/SSOProcess.jpg'/></a><br />
</p><p><br />
</p><p>Okay, now the details. When you receive an AuthenticationRequest from Google, it will make an http request to the URL you have specified in your Google Apps account with two additional query string parameters: SAMLRequest and RelayState. The SAMLRequest will look like a series of random letters and numbers that is in actuality a base64 encoded string containing the AuthnRequest. RelayState is the <a href='http://www.rfc-editor.org/rfc/rfc1738.txt'>RFC 1783</a> encoded URL that the user is ultimately trying to get to, in this case probably their Google email account. So this would look something like:<br />
</p><p style='margin-left: 36pt'>http://www.yourCompany.com/pathToPage/yourSSOPage.aspx?SAMLRequest=eJxdkN1uwjAMRl8lyn1%2f6NCEIgpim7YhsQlB2cXuQuK2KW2cxSni8Sk%2fk6bd2v7s4zOdn7qWHcGTQZvzUZxyBlahNrbK%2ba54jSZ8PpuS7FonFn2o7QZ%2beqDAhpwlcW3kvPdWoCRDwsoOSAQltouPlcjiVDiPARW2nC1fcl6rpqnLWtkDqIPU7tA4BftS1pVrGq1LpVF1pQbOvn6hsgvUkqiHpaUgbRhKaTqJRmmUTYrRo3jIxHj8zdn6funJ2Bv%2fP6z4L9b%2bNkTivSjW0Qa08aDCdcnRaPCfQyLnFWLVQqyw42xBBD4MSM9oqe%2fAb8EfjYLdZjX8FYITSdKikm2NFJK3a7IYVCUXb3dtsSR34iyZnQGwVYL1&RelayState=http%3a%2f%2fmail.google.com%2fa%2fyourCompany.com<br />
</p><p>Before we go much further, let's talk about the AuthnRequest. The AuthnRequest is an XML document that has the following format:<br />
</p><div><table border='0' style='border-collapse:collapse; background: #d3dfee'><colgroup><col style='width:1056px'/></colgroup><tbody valign='top'>
<tr><td style='padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: solid #7ba0cd 1.0pt; border-left: solid #7ba0cd 1.0pt; border-bottom: solid #7ba0cd 1.0pt; border-right: solid #7ba0cd 1.0pt' vAlign='middle'><p><?xml version="1.0" encoding="UTF-8" ?><br />
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" <br />
<span style='font-family:Courier New; font-size:10pt'><strong> </strong></span>ID="<span style='color:#c00000'>AUTHN_ID</span>" <br />
<span style='font-family:Courier New; font-size:10pt'><strong> </strong></span>Version="2.0" <br />
<span style='font-family:Courier New; font-size:10pt'><strong> </strong></span>IssueInstant="<span style='color:#c00000'>ISSUE_INSTANT</span>"<br />
<span style='font-family:Courier New; font-size:10pt'><strong> </strong></span>ProtocolBinding="urn:oasis:names.tc:SAML:2.0:bindings:HTTP-Redirect" <br />
<span style='font-family:Courier New; font-size:10pt'><strong> </strong></span>ProviderName="<span style='color:#c00000'>PROVIDER_NAME</span>" <br />
<span style='font-family:Courier New; font-size:10pt'><strong> </strong></span>AssertionConsumerServiceURL="<span style='color:#c00000'>ACS_URL</span>" /></p></td></tr>
</tbody></table></div><p>Where the items in red will be replace with actual values by Google at the time of generation. Here are some specs for those items:<br />
</p><div><table border='0' style='border-collapse:collapse'><colgroup><col style='width:118px'/><col style='width:557px'/><col style='width:366px'/></colgroup><tbody valign='top'>
<tr style='background: #4f81bd'><td style='padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: solid white 1.0pt; border-left: solid white 1.0pt; border-bottom: solid white 3.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='color:white; font-family:Courier New; font-size:12pt'><strong>Attribute</strong></span></p></td><td style='padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: solid white 1.0pt; border-left: none; border-bottom: solid white 3.0pt; border-right: solid white 1.0pt' vAlign='middle' colspan='2'><p><span style='font-family:Courier New; font-size:12pt'><span style='color:white'><strong>Description</strong></span> </span></p></td><td style='padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: solid white 1.0pt; border-left: none; border-bottom: solid white 3.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Courier New; font-size:12pt'><span style='color:white'><strong>Examples</strong></span> </span></p></td></tr>
<tr><td style='background: #4f81bd; padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: none; border-left: solid white 1.0pt; border-bottom: solid white 0.75pt; border-right: solid white 3.0pt' vAlign='middle'><p><span style='color:white; font-family:Courier New; font-size:10pt'>AUTHN_ID</span></p></td><td style='background: #a7bfde; padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 1.0pt' vAlign='middle' colspan='2'><p><span style='font-family:Courier New; font-size:10pt'>A 160-bit string made up of randomly generated lower case alpha characters from a through p</span></p></td><td style='background: #a7bfde; padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='color:black; font-family:Courier New; font-size:10pt'>dfpccklacbmnmioodokleambcplpmfghahihdmna</span></p></td></tr>
<tr><td style='background: #4f81bd; padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: none; border-left: solid white 1.0pt; border-bottom: solid white 1.0pt; border-right: solid white 3.0pt' vAlign='middle'><p><span style='color:white; font-family:Courier New; font-size:10pt'>ISSUE_INSTANT</span></p></td><td style='background: #d3dfee; padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: none; border-left: none; border-bottom: solid white 0.75pt; border-right: solid white 0.75pt' vAlign='middle' colspan='2'><p><span style='font-family:Courier New; font-size:10pt'>Should be the current date and time in the format: <br />
yyyy-mm-ddThh:mm:ssZ</span></p></td><td style='background: #d3dfee; padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: none; border-left: none; border-bottom: solid white 0.75pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Courier New; font-size:10pt'>2000-01-01T23:01:01Z<br />
2008-10-02T05:55:23Z </span></p></td></tr>
<tr><td style='background: #4f81bd; padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: none; border-left: solid white 1.0pt; border-bottom: solid white 0.75pt; border-right: solid white 3.0pt' vAlign='middle'><p><span style='color:white; font-family:Courier New; font-size:10pt'>PROVIDER_NAME</span></p></td><td style='background: #a7bfde; padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 1.0pt' vAlign='middle' colspan='2'><p><span style='font-family:Courier New; font-size:10pt'>This is the domain name of the calling application</span></p></td><td style='background: #a7bfde; padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Courier New; font-size:10pt'>google.com </span></p></td></tr>
<tr><td style='background: #4f81bd; padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: none; border-left: solid white 1.0pt; border-bottom: solid white 1.0pt; border-right: solid white 3.0pt' vAlign='middle'><p><span style='color:white; font-family:Courier New; font-size:10pt'>ACS_URL</span></p></td><td style='background: #d3dfee; padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 0.75pt' vAlign='middle' colspan='2'><p><span style='font-family:Courier New; font-size:10pt'>The URL to send the authentication result to</span></p></td><td style='background: #d3dfee; padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: none; border-left: none; border-bottom: solid white 1.0pt; border-right: solid white 1.0pt' vAlign='middle'><p><span style='font-family:Courier New; font-size:10pt'>https://www.google.com/a/yourCompany.com/acs</span></p></td></tr>
</tbody></table></div><p>Your first task will be determining the values of the two query parameters mentioned above and decoding them. In order to perform some of the decoding you will need to use a compression utility, I use a nice open source one available from ic#code at <a href='http://www.icsharpcode.net/OpenSource/SharpZipLib/'>http://www.icsharpcode.net/OpenSource/SharpZipLib/</a>. <br />
</p><p>So let's begin! Start a new web project and then make sure you add the following references: ICSharpCode.SharpZipLib and System.Security. Edit the default.aspx page, adding the following using statements…<br />
</p><div><table border='0' style='border-collapse:collapse; background: #d3dfee'><colgroup><col style='width:1056px'/></colgroup><tbody valign='top'>
<tr><td style='padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: solid #7ba0cd 1.0pt; border-left: solid #7ba0cd 1.0pt; border-bottom: solid #7ba0cd 1.0pt; border-right: solid #7ba0cd 1.0pt' vAlign='middle'><p><span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> System;<br />
<span style='color:blue'>using</span> System.Collections;<br />
<span style='color:blue'>using</span> System.ComponentModel;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> System.Data;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> System.Drawing;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> System.Web;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> System.Web.SessionState;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> System.Web.UI;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> System.Web.UI.WebControls;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> System.Web.UI.HtmlControls;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> System.Xml;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> System.Text;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> System.IO;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> ICSharpCode.SharpZipLib.Zip;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> ICSharpCode.SharpZipLib.Zip.Compression;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> ICSharpCode.SharpZipLib.Zip.Compression.Streams;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> System.Security;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> System.Security.Cryptography;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> System.Security.Cryptography.Xml;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> System.DirectoryServices;</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> System.Security.Permissions; </span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>using</span> System.Security.Cryptography.X509Certificates;</span></p></td></tr>
</tbody></table></div><p>Next, are the basic steps we need to take to decode the AuthnRequest:<br />
</p><ol><li>Retrieve data from the query string<br />
</li>
<li>Decode the base64 string to a byte array<br />
</li>
<li>Decompress (inflate) the array<br />
</li>
<li>UTF8 Encode the array back into a string<br />
</li>
</ol><p>So here's what the code looks like to do all of that, however, you will first need to add a label to your form called lblError to communicate any issues back to the user:<br />
</p><div><table border='0' style='border-collapse:collapse; background: #d3dfee'><colgroup><col style='width:1056px'/></colgroup><tbody valign='top'>
<tr><td style='padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: solid #7ba0cd 1.0pt; border-left: solid #7ba0cd 1.0pt; border-bottom: solid #7ba0cd 1.0pt; border-right: solid #7ba0cd 1.0pt' vAlign='middle'><p><span style='color:gray; font-family:Courier New; font-size:10pt'>///<summary></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:gray'>/// </span><span style='color:green'>Converts the SAMLRequest query string parameter back to </span></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:gray'>/// </span><span style='color:green'>its native, user readable XML format</span></span><br />
<span style='color:gray; font-family:Courier New; font-size:10pt'>///</summary></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'>private string</span> decodeAuthnRequestXML()</span><br />
<span style='font-family:Courier New; font-size:10pt'>{</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>try</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='color:green; font-family:Courier New; font-size:10pt'> // Get the SAMLRequest parameter</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'> string</span> encodedRequestXmlString = Request.Params[<span style='color:maroon'>"SAMLRequest"</span>];</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:blue'> if</span> (encodedRequestXmlString != <span style='color:blue'>null</span> && encodedRequestXmlString != <span style='color:maroon'>""</span>) </span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Base64 decode it</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>byte</span>[] base64DecodedByteArray = <span style='color:teal'>Convert</span>.FromBase64String(encodedRequestXmlString);</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// Uncompress the AuthnRequest data</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// First attempt to unzip the byte array according </span></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:green'> </span> <span style='color:green'>// to DEFLATE (rfc 1951)</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>try</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> { <br />
</span><br />
<span style='font-family:Courier New; font-size:10pt'> Inflater inflater = <span style='color:blue'>new</span> Inflater(<span style='color:blue'>true</span>);</span><br />
<span style='font-family:Courier New; font-size:10pt'> inflater.SetInput(base64DecodedByteArray);</span><br />
<span style='font-family:Courier New; font-size:10pt'> </span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// since we are decompressing, we dont </span></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:green'> </span> <span style='color:green'> // know how much space we might need</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// hopefully this number is suitably big</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>byte</span>[] xmlMessageBytes = <span style='color:blue'>new byte</span>[2048];</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>int</span> resultLength = inflater.Inflate(xmlMessageBytes); </span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>if</span> (!inflater.IsFinished) </span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='font-family:Courier New; font-size:10pt'> lblError.Text = <span style='color:maroon'>"Error decoding AuthnRequest: " </span>+</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:maroon'> </span> <span style='color:maroon'> "Decompression data overflow"</span>;</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>return null</span>;</span><br />
<span style='font-family:Courier New; font-size:10pt'> }</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'> // UTF8 encode the result and return it</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:teal'>UTF8Encoding</span> utf8 = <span style='color:blue'>new </span><span style='color:teal'>UTF8Encoding</span>();</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>return</span> utf8.GetString(xmlMessageBytes, 0, resultLength);</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> } </span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>catch</span> (<span style='color:teal'>Exception</span> e) </span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'>// if DEFLATE fails, then attempt to unzip </span></span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:green'> </span> <span style='color:green'> // the byte array according to zlib (rfc 1950) </span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:teal'>MemoryStream</span> msIn = <span style='color:blue'>new </span><span style='color:teal'>MemoryStream</span>(base64DecodedByteArray);</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:teal'>MemoryStream</span> msOut = <span style='color:blue'>new </span><span style='color:teal'>MemoryStream</span>();</span><br />
<span style='font-family:Courier New; font-size:10pt'> InflaterInputStream iis = <span style='color:blue'>new</span> InflaterInputStream(msIn);</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>byte</span>[] buf = <span style='color:blue'>new byte</span>[2048];</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>int</span> count = iis.Read(buf, 0, buf.Length);</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>while</span> (count != 0) </span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='font-family:Courier New; font-size:10pt'> msOut.Write(buf, 0, count);</span><br />
<span style='font-family:Courier New; font-size:10pt'> count = iis.Read(buf, 0, buf.Length);</span><br />
<span style='font-family:Courier New; font-size:10pt'> }</span><br />
<span style='font-family:Courier New; font-size:10pt'> </span><br />
<span style='font-family:Courier New; font-size:10pt'> iis.Close();</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>byte</span>[] retVal = <span style='color:blue'>new byte</span>[msOut.Length];</span><br />
<span style='font-family:Courier New; font-size:10pt'> msOut.Position = 0;</span><br />
<span style='font-family:Courier New; font-size:10pt'> msOut.Read(retVal, 0, (<span style='color:blue'>int</span>) msOut.Length); </span><br />
<br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:green'> // UTF8 encode the result and return it</span></span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>return</span> utf8.GetString(retVal);<br />
</span><br />
<span style='font-family:Courier New; font-size:10pt'> } </span><br />
<span style='font-family:Courier New; font-size:10pt'> } <br />
<span style='color:blue'> else</span><br />
<span style='color:blue'> </span>{<br />
<span style='color:blue'> </span>lblError.Text = <span style='color:maroon'>"Error decoding AuthnRequest: " </span>+</span><br />
<span style='font-family:Courier New; font-size:10pt'><span style='color:maroon'> </span> <span style='color:maroon'> "Unable to read SAMLRequest"</span>;</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>return null</span>;<br />
<span style='color:blue'> </span>}</span><br />
<span style='font-family:Courier New; font-size:10pt'> } </span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>catch</span> (<span style='color:teal'>Exception</span> e) </span><br />
<span style='font-family:Courier New; font-size:10pt'> {</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:blue'>throw new </span><span style='color:teal'>Exception</span>(<span style='color:maroon'>"Error decoding AuthnRequest: "</span> +</span><br />
<span style='font-family:Courier New; font-size:10pt'> <span style='color:maroon'>"Check decoding scheme - "</span> + e.Message);</span><br />
<span style='font-family:Courier New; font-size:10pt'> }</span><br />
<span style='font-family:Courier New; font-size:10pt'>}</span></p></td></tr>
</tbody></table></div><p>This code can be called from the Page_Load method to validate the request before prompting the user for their credentials. Be sure to check the Page.IsPostBack property to only call decodeAuthnRequestXML function on the initial page load. <br />
</p><div><table border='0' style='border-collapse:collapse; background: #d3dfee'><colgroup><col style='width:1056px'/></colgroup><tbody valign='top'>
<tr><td style='padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: solid #7ba0cd 1.0pt; border-left: solid #7ba0cd 1.0pt; border-bottom: solid #7ba0cd 1.0pt; border-right: solid #7ba0cd 1.0pt' vAlign='middle'><p><span style='font-family:Courier New; font-size:10pt'><span style='color:green'>// Class level vars</span><br />
<span style='color:blue'>string</span> requestXmlString = null;<br />
<br />
<span style='color:gray'>///<summary></span><br />
<span style='color:gray'>/// </span><span style='color:green'>Handles the page onload event</span><br />
<span style='color:gray'>/// </span><span style='color:green'>Begins Authentication Request decoding</span><br />
<span style='color:gray'>///</summary></span><br />
<span style='color:blue'>private void</span> Page_Load()<br />
{<br />
<span style='color:blue'>if</span> (!IsPostBack)<br />
{<br />
<span style='color:green'>// Validate initially to force asterisks<br />
</span> <span style='color:green'>// to appear before the first roundtrip.</span><br />
requestXmlString = decodeAuthnRequestXML();<br />
}<br />
}</span></p></td></tr>
</tbody></table></div><p>The string you get back from the decodeAuthnRequestXML function should be user readable XML with the AuthnRequest format mentioned above. It should look something like: <br />
</p><div><table border='0' style='border-collapse:collapse; background: #d3dfee'><colgroup><col style='width:1056px'/></colgroup><tbody valign='top'>
<tr><td style='padding-top: 1px; padding-left: 7px; padding-bottom: 1px; padding-right: 7px; border-top: solid #7ba0cd 1.0pt; border-left: solid #7ba0cd 1.0pt; border-bottom: solid #7ba0cd 1.0pt; border-right: solid #7ba0cd 1.0pt' vAlign='middle'><p><?xml version="1.0" encoding="UTF-8" ?><br />
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" <br />
<span style='font-family:Courier New; font-size:10pt'><strong> </strong></span>ID="hcjjhfhcnkeckadpkjpcebfahgpjjddfcdocmfde" <br />
<span style='font-family:Courier New; font-size:10pt'><strong> </strong></span>Version="2.0" <br />
<span style='font-family:Courier New; font-size:10pt'><strong> </strong></span>IssueInstant="2009-03-26T16:32:44Z"<br />
<span style='font-family:Courier New; font-size:10pt'><strong> </strong></span>ProtocolBinding="urn:oasis:names.tc:SAML:2.0:bindings:HTTP-Redirect" <br />
<span style='font-family:Courier New; font-size:10pt'><strong> </strong></span>ProviderName="google.com" <br />
<span style='font-family:Courier New; font-size:10pt'><strong> </strong></span>AssertionConsumerServiceURL="https://www.google.com/a/yourcompany.com/acs" /></p></td></tr>
</tbody></table></div><p>Once you have that, you can parse the XMLDocument and begin building your response. Look for <a href='http://www.apollojack.com/2009/03/net-google-sso-part-2-of-2.html'>Part 2</a> of the SSO series to demonstrate the building of the AuthnResponse.</p></span>Rebecca Crofthttp://www.blogger.com/profile/06968410533499869665noreply@blogger.com0