Using a CNG-backed key as service account key in JavaOne of the best ways to store a service account key on Windows is to use a CryptoNG key storage provider. That even works with Java. Continue »
Using domain-wide-delegation on Google Cloud without service account keysSome Google Cloud APIs don’t support service accounts and require us to use domain-wide delegation. But using domain-wide delegation doesn’t mean we have to use service account keys. Continue »
Using ECDSA keys for SSH public key authentication in IAP Desktop 2.23By default, IAP Desktop uses the rsa-ssh public key signature algorithm when authenticating to a Linux VM. That can be a problem in certain situations, which is why the latest version now adds support for ECDSA.
Continue »
Using Identity-Aware-Proxy and JAX-RS to authenticate usersBy deploying a web application behind Identity-Aware-Proxy, we can ensure that an application only receives requests that are authenticated and satisfy the context-aware access rules we’ve configured. But there are still a few things that the web application needs to do itself. Continue »
Exporting RSA public keys in .NET and .NET Framework.NET and .NET Framework don’t provide any methods to export RSA public keys in PEM format. But with some extension methods and a little help from CryptoAPI, we can fill that gap. Continue »
Importing RSA public keys in downlevel .NET and .NET Framework versionsIn .NET 5 and 6, we can use RSA.ImportFromPem to import a PEM-formatted RSA public key. Older .NET Core versions and .NET Framework don’t offer that functionality – but with a little help from CryptoAPI, we can fill that gap. Continue »
Best practices for using workload identity federationWorkload identity federation lets us impersonate a Google Cloud service account by using credentials from an external identity provider. That’s a useful and powerful feature, but there are some things to watch out for. Continue »
Encoding public keys in PEM formatStoring or exchanging public keys is one of the most common uses for the PEM format. But there is more than one way to encode a public key. Continue »
What's inside a PEM fileOne of the more confusing aspects of dealing with public key cryptography is that there are so many different file formats. Let’s take a closer look at the most common one, PEM. Continue »
Using a Google Cloud service account to authenticate to AD FSBy using certificate-based authentication, we can let a Google Cloud service account authenticate to AD FS without having to manage any client secrets. Continue »
Using a Google Cloud service account to authenticate to KeyCloakA common way to let an application authenticate to KeyCloak is to use a client ID and secret. But when the application runs on Google Cloud, we can do better. Continue »
Obtaining a SAML 2.0 assertion from AD FS by using WS-Trust and Integrated Windows AuthenticationUsing Integrated Windows Authentication (IWA) to authenticate to AD FS not only works for OAuth. We can also use IWA to get SAML 2.0 assertions. Continue »
Obtaining AD FS access tokens using the client credentials grant and Integrated Windows AuthenticationWhen an application needs to authenticate to AD FS, we don’t have to use a client secret. Instead, we can let the application use its existing Kerberos or NTLM credentials to authenticate. Continue »
Using a Google Cloud service account and AssumeRoleWithWebIdentity to authenticate to AWS in C#In the last post we looked at how to set up a trust policy and role in AWS so that we can use a Google ID token to authenticate to AWS. But how do we actually use this in C#? Continue »
Authenticating to AWS by using a Google Cloud service account and AssumeRoleWithWebIdentityBy using workload identity federation, we can let applications use AWS credentials to authenticate to Google Cloud. That’s useful if we have an application that runs on AWS and needs access to Google APIs. But what if we are in the opposite situation, where we have an application on Google Cloud that needs access to AWS? Continue »
Best practices for using sole-tenant nodes to run VM workloads on Google CloudWindows Server licensing is tricky, particularly if yur goal is to run Windows Server in the cloud and use existing licenses for it. But if you’re using Google Cloud’s sole-tenant nodes, a new best practices article can offer some help. Continue »
Demystifying AutoSelectCertificateForUrls syntaxWhen a web server requires mutual TLS authentication, the default behavior of web browsers is to show a dialog that lets us choose which client certificate we’d like to use. Chrome lets us suppress these prompts by using the AutoSelectCertificateForUrls policy. But documentation is scarce. Continue »
Do browsers use client certificates to authenticate the user, the device, or both?Most browsers support client certificates for mutual TLS authentication. But what is really being authenticated here, the end user, their device, or both? Continue »
Deploying AD FS without domain admin privilegesBy default, installing AD FS requires domain admin access to Active Directory. But it’s possible to deploy AD FS in environments where we don’t have these privileges, like Google Cloud’s Managed Service for Microsoft Active Directory. Continue »
Authenticating to Google Cloud by using an AWS EC2 instance profile and workload identity federationWhen an application running on AWS needs access to Google APIs, we can use workload identity federation to let the application use its AWS credentials to authenticate to Google APIs. Unfortunately, the C# client library doesn’t support that yet, but we can fill that gap. Continue »