Obtaining a SAML 2.0 assertion from AD FS by using WS-Trust and Integrated Windows AuthenticationUsing Integrated Windows Authentication (IWA) to authenticate to AD FS not only works for OAuth. We can also use IWA to get SAML 2.0 assertions. Continue »
Obtaining AD FS access tokens using the client credentials grant and Integrated Windows AuthenticationWhen an application needs to authenticate to AD FS, we don’t have to use a client secret. Instead, we can let the application use its existing Kerberos or NTLM credentials to authenticate. Continue »
Using a Google Cloud service account and AssumeRoleWithWebIdentity to authenticate to AWS in C#In the last post we looked at how to set up a trust policy and role in AWS so that we can use a Google ID token to authenticate to AWS. But how do we actually use this in C#? Continue »
Authenticating to AWS by using a Google Cloud service account and AssumeRoleWithWebIdentityBy using workload identity federation, we can let applications use AWS credentials to authenticate to Google Cloud. That’s useful if we have an application that runs on AWS and needs access to Google APIs. But what if we are in the opposite situation, where we have an application on Google Cloud that needs access to AWS? Continue »
Best practices for using sole-tenant nodes to run VM workloads on Google CloudWindows Server licensing is tricky, particularly if yur goal is to run Windows Server in the cloud and use existing licenses for it. But if you’re using Google Cloud’s sole-tenant nodes, a new best practices article can offer some help. Continue »
Demystifying AutoSelectCertificateForUrls syntaxWhen a web server requires mutual TLS authentication, the default behavior of web browsers is to show a dialog that lets us choose which client certificate we’d like to use. Chrome lets us suppress these prompts by using the AutoSelectCertificateForUrls policy. But documentation is scarce. Continue »
Do browsers use client certificates to authenticate the user, the device, or both?Most browsers support client certificates for mutual TLS authentication. But what is really being authenticated here, the end user, their device, or both? Continue »
Deploying AD FS without domain admin privilegesBy default, installing AD FS requires domain admin access to Active Directory. But it’s possible to deploy AD FS in environments where we don’t have these privileges, like Google Cloud’s Managed Service for Microsoft Active Directory. Continue »
Authenticating to Google Cloud by using an AWS EC2 instance profile and workload identity federationWhen an application running on AWS needs access to Google APIs, we can use workload identity federation to let the application use its AWS credentials to authenticate to Google APIs. Unfortunately, the C# client library doesn’t support that yet, but we can fill that gap. Continue »
Creating AWS request signaturesInstead of using OAuth and access tokens, AWS uses request signatures to authenticate API requests. Typically, we can let libraries do the request signing for us – but sometimes we have to do it ourselves. Continue »
Authenticating to Azure by using Cloud KMS and client assertionsBy using workload identity federation, we can let applications use Azure credentials to authenticate to Google Cloud. That’s useful if we have an application that runs on Azure and needs access to Google APIs. But what if we are in the opposite situation, where we have an application on Google Cloud that needs access to Azure APIs? Continue »
Authenticating to Google Cloud by using an Azure managed identity and workload identity federationWhen an application running on Azure needs access to Google APIs, we can use workload identity federation to let the application use its Azure credentials to authenticate to Google APIs. Unfortunately, the C# client library doesn’t support that yet, but we can fill that gap. Continue »
Performing per-user installations on Windows ServerInstead of performing machine-wide installations, some applications do per-user installations. That’s often convenient because we don’t need administrative privileges for such installations. But unfortunately, per-user installations typically don’t work on Windows Server. Continue »
Restricting which managed identities can access an Azure applicationOn Azure, we can use managed identities and AzureAD applications to authenticate service-to-service authentication. But how can we ensure that only certain managed identities can obtain access tokens for an application? Continue »
Keep your software packages smallIt wasn’t until 2004 that I got broadband internet at home. So I remember the times when downloading a new JDK (which was around 20 MB at the time) over my 56K modem line meant blocking my family’s phone line for 2 hours. Today, bandwidth doesn’t seem like a limiting factor anymore. But that doesn’t mean that download sizes for applications don’t matter. Continue »
Using registry-based group policies in applicationsGroup policies let you control and tweak thousands of Windows settings. But group policies aren’t limited to Windows or Microsoft applications. We can also use group policies to manage custom applications, either by registering a group policy extension for the app, or (more commonly) by using registry-based policies. Continue »
Managing IAP Desktop by using group policiesIAP Desktop 2.20 now lets you use group policies to ensure all users in your organization use consistent settings. Continue »
Playing certificate authority: Using Cloud KMS to sign certificate signing requestsLast time, we looked at how we can use a Cloud KMS asymmetric signing key to create a self-signed X.509 certificate. But we’re not limited to self-signed certificates. We can use Cloud KMS to sign other certificate signing requests too, just like a certificate authority (CA). Continue »
Using a Cloud KMS asymmetric signing key to create an X.509 certificateAfter you create an asymmetric signing key in Cloud KMS, you can download the key pair’s public key. The key is provided in PEM format – that’s pretty standard and all you need in many use cases. But especially when dealing with third party services, you sometimes need an X.509 certificate instead of a plain public key. Continue »
Best practices for managing service account keysService accounts play a key role in Google Cloud IAM, and there are multiple ways how service accounts can authenticate. One of them is by using a service account key – but service account keys turn into a security risk if they aren’t managed carefully. Continue »