{"id":2003,"date":"2013-03-25T09:44:18","date_gmt":"2013-03-25T18:44:18","guid":{"rendered":"http:\/\/www.cloudidentity.com\/blog\/?p=2003"},"modified":"2013-03-25T17:00:19","modified_gmt":"2013-03-26T02:00:19","slug":"a-refresh-of-the-identity-and-access-tool-for-vs-2012","status":"publish","type":"post","link":"https:\/\/www.cloudidentity.com\/blog\/2013\/03\/25\/a-refresh-of-the-identity-and-access-tool-for-vs-2012\/","title":{"rendered":"A Refresh of the Identity and Access Tool for VS 2012"},"content":{"rendered":"<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/03\/image41.png\"><img loading=\"lazy\" decoding=\"async\" style=\"background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top: 0px; border-right: 0px; padding-top: 0px\" title=\"image\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/03\/image_thumb42.png\" width=\"640\" height=\"444\"><\/a><\/p>\n<p>Today we released a refresh of the Identity and Access Tool for Visual Studio 2012.<br \/>We moved the current release # from 1.0.2 to 1.1.0.<br \/>VS should let you know that there\u2019s a new version&nbsp; waiting for you, but if you\u2019re in a hurry you can go <a href=\"http:\/\/visualstudiogallery.msdn.microsoft.com\/e21bf653-dfe1-4d81-b3d3-795cb104066e\">here<\/a> and get it right away.<\/p>\n<p>We didn\u2019t add any new features: this is largely a service release, with lots of bug fixes.<\/p>\n<p>There is an exception to that, though. We changed the way in which we handle issuer validation of incoming tokens. We now use the <a href=\"https:\/\/www.cloudidentity.com\/blog\/2013\/02\/08\/multitenant-sts-and-token-validation-4\/\">ValidatingIssuerNameRegistry<\/a> by default; however we also added in the UI the necessary knobs for you to opt out and fall back on the old ConfigBasedIssuerNameRegistry, should you need to. Details below.<\/p>\n<h2>The New Issuer Validation Strategy<\/h2>\n<p>Traditionally, WIF tools (from fedutil.exe in .NET 3.5 and 4.0 to the Identity and Access Tools in .NET 4.5) used the ConfigBasedIssuerNameRegistry class to capture the coordinates (issuer name and signing verification key) of trusted issuers. In config it would look as something like the following:<\/p>\n<pre class=\"csharpcode\"><span class=\"kwrd\">&lt;<\/span><span class=\"html\">issuerNameRegistry<\/span> <span class=\"attr\">type<\/span><span class=\"kwrd\">=\"System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, <\/span><\/pre>\n<pre class=\"csharpcode\"><span class=\"kwrd\">    System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"<\/span><span class=\"kwrd\">&gt;<\/span>\n  <span class=\"kwrd\">&lt;<\/span><span class=\"html\">trustedIssuers<\/span><span class=\"kwrd\">&gt;<\/span>\n     <span class=\"kwrd\">&lt;<\/span><span class=\"html\">add<\/span> <span class=\"attr\">thumbprint<\/span><span class=\"kwrd\">=\"9B74CB2F320F7AAFC156E1252270B1DC01EF40D0\"<\/span> <span class=\"attr\">name<\/span><span class=\"kwrd\">=\"LocalSTS\"<\/span> <span class=\"kwrd\">\/&gt;<\/span>\n  <span class=\"kwrd\">&lt;\/<\/span><span class=\"html\">trustedIssuers<\/span><span class=\"kwrd\">&gt;<\/span>\n<span class=\"kwrd\">&lt;\/<\/span><span class=\"html\">issuerNameRegistry<\/span><span class=\"kwrd\">&gt;<\/span><\/pre>\n<p>&nbsp;<\/p>\n<style type=\"text\/css\">.csharpcode, .csharpcode pre\n{\n\tfont-size: small;\n\tcolor: black;\n\tfont-family: consolas, \"Courier New\", courier, monospace;\n\tbackground-color: #ffffff;\n\t\/*white-space: pre;*\/\n}\n.csharpcode pre { margin: 0em; }\n.csharpcode .rem { color: #008000; }\n.csharpcode .kwrd { color: #0000ff; }\n.csharpcode .str { color: #006080; }\n.csharpcode .op { color: #0000c0; }\n.csharpcode .preproc { color: #cc6633; }\n.csharpcode .asp { background-color: #ffff00; }\n.csharpcode .html { color: #800000; }\n.csharpcode .attr { color: #ff0000; }\n.csharpcode .alt \n{\n\tbackground-color: #f4f4f4;\n\twidth: 100%;\n\tmargin: 0em;\n}\n.csharpcode .lnum { color: #606060; }\n<\/style>\n<p>Its semantic is straightforward: if an incoming token is signed with the key corresponding to that thumbprint, accept it (provided that all other checks pass as well!) and use the value in \u201cname\u201d for the \u201cIssuer\u201d property of the resulting claims.<\/p>\n<p>That worked out great for the first generation of identity providers, but as the expressive power of issuers grew (multiple keys, multiple tenants as issuers leveraging the same issuing endpoint and crypto infrastructure) we felt we needed to provide a better issuer name registry canonical class, the <a href=\"https:\/\/www.cloudidentity.com\/blog\/2013\/02\/08\/multitenant-sts-and-token-validation-4\/\">ValidatingIssuerNameRegistry<\/a> (VINR for short).<\/p>\n<p>We already introduced VINR here, hence I won\u2019t repeat the details here. What\u2019s new is that the Identity and Access Tool now uses VINR by default.<br \/>If you run the tool against the project containing the settings above, afterwards your config will look like the following:<\/p>\n<pre class=\"csharpcode\"><span class=\"rem\">&lt;!--Commented by Identity and Access VS Package--&gt;<\/span>\n<span class=\"rem\">&lt;!--&lt;issuerNameRegistry type=\"System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, <\/span><\/pre>\n<pre class=\"csharpcode\"><span class=\"rem\">System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"&gt;<\/span><\/pre>\n<pre class=\"csharpcode\"><span class=\"rem\">&lt;trustedIssuers&gt;&lt;add thumbprint=\"9B74CB2F320F7AAFC156E1252270B1DC01EF40D0\" name=\"LocalSTS\" \/&gt;<\/span><\/pre>\n<pre class=\"csharpcode\"><span class=\"rem\">&lt;\/trustedIssuers&gt;&lt;\/issuerNameRegistry&gt;--&gt;<\/span>\n<span class=\"kwrd\">&lt;<\/span><span class=\"html\">issuerNameRegistry<\/span> <span class=\"attr\">type<\/span><span class=\"kwrd\">=\"System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, <\/span><\/pre>\n<pre class=\"csharpcode\"><span class=\"kwrd\">    System.IdentityModel.Tokens.ValidatingIssuerNameRegistry\"<\/span><span class=\"kwrd\">&gt;<\/span>\n <span class=\"kwrd\">&lt;<\/span><span class=\"html\">authority<\/span> <span class=\"attr\">name<\/span><span class=\"kwrd\">=\"LocalSTS\"<\/span><span class=\"kwrd\">&gt;<\/span>\n  <span class=\"kwrd\">&lt;<\/span><span class=\"html\">keys<\/span><span class=\"kwrd\">&gt;<\/span>\n    <span class=\"kwrd\">&lt;<\/span><span class=\"html\">add<\/span> <span class=\"attr\">thumbprint<\/span><span class=\"kwrd\">=\"9B74CB2F320F7AAFC156E1252270B1DC01EF40D0\"<\/span> <span class=\"kwrd\">\/&gt;<\/span>\n  <span class=\"kwrd\">&lt;\/<\/span><span class=\"html\">keys<\/span><span class=\"kwrd\">&gt;<\/span>\n  <span class=\"kwrd\">&lt;<\/span><span class=\"html\">validIssuers<\/span><span class=\"kwrd\">&gt;<\/span>\n    <span class=\"kwrd\">&lt;<\/span><span class=\"html\">add<\/span> <span class=\"attr\">name<\/span><span class=\"kwrd\">=\"LocalSTS\"<\/span> <span class=\"kwrd\">\/&gt;<\/span>\n  <span class=\"kwrd\">&lt;\/<\/span><span class=\"html\">validIssuers<\/span><span class=\"kwrd\">&gt;<\/span>\n <span class=\"kwrd\">&lt;\/<\/span><span class=\"html\">authority<\/span><span class=\"kwrd\">&gt;<\/span>\n<span class=\"kwrd\">&lt;\/<\/span><span class=\"html\">issuerNameRegistry<\/span><span class=\"kwrd\">&gt;<\/span><\/pre>\n<p>&nbsp;<\/p>\n<style type=\"text\/css\">.csharpcode, .csharpcode pre\n{\n\tfont-size: small;\n\tcolor: black;\n\tfont-family: consolas, \"Courier New\", courier, monospace;\n\tbackground-color: #ffffff;\n\t\/*white-space: pre;*\/\n}\n.csharpcode pre { margin: 0em; }\n.csharpcode .rem { color: #008000; }\n.csharpcode .kwrd { color: #0000ff; }\n.csharpcode .str { color: #006080; }\n.csharpcode .op { color: #0000c0; }\n.csharpcode .preproc { color: #cc6633; }\n.csharpcode .asp { background-color: #ffff00; }\n.csharpcode .html { color: #800000; }\n.csharpcode .attr { color: #ff0000; }\n.csharpcode .alt \n{\n\tbackground-color: #f4f4f4;\n\twidth: 100%;\n\tmargin: 0em;\n}\n.csharpcode .lnum { color: #606060; }\n<\/style>\n<p>Apart from the syntactic sugar, the important difference in semantics between the two is that whereas the ConfigBasedIssuerNameRegistry will just use \u201cLocalSTS\u201d as the Issuer property in the ClaimsIdentity representing the caller, regardless of what the issuer is in the incoming token,<font color=\"#ff0000\"> <strong><em>VINR will enforce that \u201cLocalSTS\u201d is actually the issuer name in the incoming token<\/em><\/strong><\/font>. If the issuer in the token is different from the value recorded, ConfigBasedIssuerNameRegistry&nbsp; will accept the token nonetheless: <strong><em><font color=\"#ff0000\">VINR will refuse it<\/font><\/em><\/strong>. The stricter validation rules are necessary when working with multitenant STSes, and are not a bad thing for traditional cases either (ADFS2.0 does this consistently).<\/p>\n<p>If for any reasons you rely on the ConfigBasedIssuerNameRegistry more relaxed validation criterion, I would suggest considering whether you can move to a stricter validation mode: but if you absolutely can\u2019t, the tool offers you a way out. In the config tab you will now find the following new checkbox:<\/p>\n<p><a href=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/03\/image40.png\"><img loading=\"lazy\" decoding=\"async\" style=\"background-image: none; border-right-width: 0px; margin: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top-width: 0px; border-bottom-width: 0px; border-left-width: 0px; padding-top: 0px\" title=\"image\" border=\"0\" alt=\"image\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/03\/image_thumb41.png\" width=\"604\" height=\"551\"><\/a><\/p>\n<p>If you want to go back to ConfigBasedIssuerNameRegistry, all you need to do is unchecking that box and hit OK.<\/p>\n<h2>Miscellanea<\/h2>\n<p>Here there are few of the most notable fixes we (well, \u201cwe\u201d\u2026 it actually was Brent <img decoding=\"async\" style=\"border-bottom-style: none; border-left-style: none; border-top-style: none; border-right-style: none\" class=\"wlEmoticon wlEmoticon-smile\" alt=\"Smile\" src=\"https:\/\/www.cloudidentity.com\/blog\/wp-content\/uploads\/2013\/03\/wlEmoticon-smile7.png\">) added in this refresh. The list is longer, here I am highlighting just the ones for which we received explicit feedback in the past.<\/p>\n<ul>\n<li>&lt;serviceModel&gt; bug. We had a bug for which the Tool would throw if a &lt;serviceModel&gt; element was present in the config; that behavior has been fixed\n<li>We weren\u2019t setting certificate validation mode to none for the Business STS providers, but we got feedback that self signed certificates are in common use and developers needed to turn off cert validation by hand; hence, we included all providers in the cert validation == none logic and added a comment in the config to clarify that this is for development purposes only.\n<li>Better support for ACS namespace keys. We did a flurry of improvements there (better cut &amp; paste support, comments, gracefully handling projects for which we don\u2019t have keys, etc)\n<li>More informative error messages <\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>That\u2019s it. We hope that the improvements in this refresh will help you with your apps: please keep the feedback coming!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today we released a refresh of the Identity and Access Tool for Visual Studio 2012.We moved the current release # from 1.0.2 to 1.1.0.VS should let you know that there\u2019s a new version&nbsp; waiting for you, but if you\u2019re in a hurry you can go here and get it right away. We didn\u2019t&#8230;<\/p>\n","protected":false},"author":1,"featured_media":2001,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2003","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/2003","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/comments?post=2003"}],"version-history":[{"count":2,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/2003\/revisions"}],"predecessor-version":[{"id":2010,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/posts\/2003\/revisions\/2010"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/media\/2001"}],"wp:attachment":[{"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/media?parent=2003"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/categories?post=2003"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudidentity.com\/blog\/wp-json\/wp\/v2\/tags?post=2003"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}