So I’ve just got back to my hotel from the final day of NDC Oslo 2016 and as you always end being after these things, I’m shattered. I came with the objective of finally getting some learning on ASP.NET Core (however much it may have pained me) and where better to do it at one of the biggest and most respected conferences going? Whilst I may have started off with ASP.NET Core in mind, I soon got distracted by the high quality security speakers and wide range of subjects.

I think the best write up I can give is to talk through the experience and then list the talks that I attended, making recommendations where possible about which speaker or talks you should keep an eye out for. Once the talks are uploaded to Vimeo, I can also directly link you to each one individually.

Basic Authentication is considered a bit of an anti-pattern these days, but it can still be useful in a pinch when you have limited options for integrating with APIs, third party applications or the dreaded legacy applications.

Basic Authentication should never be a recommended solution, however I have met many clients who are still running services that use it and third party applications who only support basic authentication. Some security is better than none, right? I guess that's debatable.

If you want a modern identity solution, check out Identity Server. Identity Server is a one time configuration that will allow you to create your own OAuth, OpenID Connect or WS-Federation Authentication Server (aka Identity Provider, Security Token Service, etc), that can reliably service all of your applications.

This article will cover the theory behind basic authentication, including why we shouldn't really be using it, and then look at how we can integrate it into our OWIN pipeline.

When using the WS-Federation protocol, you usually (or at least should) use certificates to sign your token, allowing the receiver to verify the contents have not been altered in transit, and for Transport Layer Security (TLS, think SSL) in order to provide privacy for network communications.

What is less common but also useful is SAML assertion encryption.This token encryption is useful when your SAML token includes claims/assertions that contain private data which might be held for a long period of time or passed around through untrusted intermediaries.

This certificate has its public key held by the Security Token Service (STS) in order to encrypt the token, and its private key held by the Relying Party in order to decrypt it.

This process is relatively well documented if you are dealing with Windows Identity Foundation (WIF) 1.0 and slightly less so with WIF 4.5, however there are currently little to no resources on how to achieve this with the latest OWIN/Katana components.

Introduction

Identity Manager is the spiritual successor to the ASP.NET Web Site Administration Tool that used to be available with Visual Studio, providing a simple UI for performing CRUD operations to manage your user store.

IdentityManager is a tool for developers and/or administrators to manage the identity information for users of their applications. This includes creating users, editing user information (passwords, email, claims, etc.) and deleting users. It provides a modern replacement for the ASP.NET WebSite Administration tool that used to be built into Visual Studio. - https://github.com/IdentityManager/IdentityManager

Created by Brock Allen, of Identity Server and Identity Model fame, Identity Manager uses a RESTful API that abstracts the underlying Identity database, exposing metadata and functionality that powers a browser-based UI or used programmatically within your software...

Recently I had some issues with running a local IIS server/website on my local development machine. The solution was fairly well documented, but the surprising culprit and the fact that it had never happened to me before, despite it being a replicable process, made it worthwhile documenting.

Problem

Upon trying to start manually start the IIS website the following error message popped up...