Access Control Service: Home Realm Discovery (HRD) Gotcha

Posted by Your DisplayName here! on Least Privilege See other posts from Least Privilege or by Your DisplayName here!
Published on Tue, 24 May 2011 18:58:59 GMT Indexed on 2011/06/20 16:38 UTC
Read the original article Hit count: 284

Filed under:

Azure

|

IdentityModel

I really like ACS2. One feature that is very useful is home realm discovery. ACS provides a Nascar style list as well as discovery based on email addresses. You can take control of the home realm selection process yourself by downloading the JSON feed or by manually setting the home realm parameter.

Plenty of options – the only option missing is turning it off…

In other words, when you setup your ACS namespace and realm and register identity provider, there is no way to keep the list of identity providers secret. An interested “user” can always retrieve all registered identity provider (using the browser or download the JSON feed).

This may not be an issue with web identity providers, but when you use ACS to federate with customers or business partners, you maybe don’t want to disclose that list to the public (or to other customers). This is an adoption blocker for certain situations.

I hope this feature will be added soon.

In addition I would also like to see a feature I call “home realm aliases”. Some random string that I can use as a whr parameter instead of using the real issuer URI.

© Least Privilege or respective owner

Related posts about Azure

Azure Mobile Services: what files does it consist of?

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
Azure Mobile Services is a platform that provides a small set of functionality consisting of authentication, custom data tables, custom API’s, scheduling scripts and push notifications to be used as the back-end of a mobile application or if you want, any application or web site. As described in my… >>> More
Windows Azure: Backup Services Release, Hyper-V Recovery Manager, VM Enhancements, Enhanced Enterprise Management Support

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
This morning we released a huge set of updates to Windows Azure. These new capabilities include: Backup Services: General Availability of Windows Azure Backup Services Hyper-V Recovery Manager: Public preview of Windows Azure Hyper-V Recovery Manager Virtual Machines: Delete Attached… >>> More
Azure - Part 4 - Table Storage Service in Windows Azure

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
In Windows Azure platform there are 3 storage we can use to save our data on the cloud. They are the Table, Blob and Queue. Before the Chinese New Year Microsoft announced that Azure SDK 1.1 had been released and it supports a new type of storage – Drive, which allows us to operate NTFS files on the… >>> More
Azure - Unable To Get SQL Azure Invitation Code!

as seen on Stack Overflow - Search for 'Stack Overflow'
Scenario I'm trying to convert my Silverlight Business Application over to the cloud with the help of Azure. I have been following this link from Brad Abrams blog. Both the links to Windows Azure and SQL Azure crash out in Google Chrome, they work in Internet Explorer, but it's literally one of… >>> More
PowerShell Script to Deploy Multiple VM on Azure in Parallel #azure #powershell

as seen on SQL Blog - Search for 'SQL Blog'
This blog is usually dedicated to Business Intelligence and SQL Server, but I didn’t found easily on the web simple PowerShell scripts to help me deploying a number of virtual machines on Azure that I use for testing and development. Since I need to deploy, start, stop and remove many virtual machines… >>> More

Related posts about IdentityModel

Identity Claims Encoding for SharePoint

as seen on Geeks with Blogs - Search for 'Geeks with Blogs'
Just to remind myself, the list of claim types and their encodings are listed here at the bottom. http://msdn.microsoft.com/en-us/library/gg481769.aspx Where for example: i:0#.w|contoso\scicoria ‘i’ = identity, could be ‘c’ for others # == SPClaimTypes.UserLogonName . == Microsoft.IdentityModel… >>> More
Thinktecture.IdentityModel: WIF Support for WCF REST Services and OData

as seen on Least Privilege - Search for 'Least Privilege'
The latest drop of Thinktecture.IdentityModel includes plumbing and support for WIF, claims and tokens for WCF REST services and Data Services (aka OData). Cibrax has an alternative implementation that uses the WCF Rest Starter Kit. His recent post reminded me that I should finally “document” that… >>> More
Thinktecture.IdentityModel: Comparing Strings without leaking Timinig Information

as seen on Least Privilege - Search for 'Least Privilege'
Paul Hill commented on a recent post where I was comparing HMACSHA256 signatures. In a nutshell his complaint was that I am leaking timing information while doing so – or in other words, my code returned faster with wrong (or partially wrong) signatures than with the correct signature. This can… >>> More
Thinktecture.IdentityModel: WRAP and SWT Support

as seen on Least Privilege - Search for 'Least Privilege'
The latest drop of Thinktecture.IdentityModel contains some helpers for the Web Resource Authorization Protocol (WRAP) and Simple Web Tokens (SWT). WRAP The WrapClient class is a helper to request SWT tokens via WRAP. It supports issuer/key, SWT and SAML input credentials, e.g.: var… >>> More
Azure - Microsoft.IdentityModel not found

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi There, I'm working with a WCF service in Azure, which uses Windows Live ID authentication with the recent deviceid requirements. When I host my WCF service locally in the compute emulator, it works properly, but when I deploy the cloud service to Azure and call it the same way (from another project… >>> More