Previously, we explored two ways of authenticating to Google Cloud using Kerberos and NTLM credentials. Both ways involved authenticating to AD FS using Integrated Windows Authentication, and then using workload identity federation. But there’s a third way that we haven’t cover yet – and it involves using the SAML HTTP-POST binding.
Continue »
Privileged access is a term we commonly encounter in the realm of access management. The term seems pretty self-explanatory, but finding a good definition isn’t easy.
Continue »
When an application needs to access Google Cloud APIs, it needs credentials. On Google Cloud, we can attach a service account to the underlying compute resource to let the application obtain credentials. On AWS and Azure, we can achieve something to the same effect by using workload identity federation. But what about on-premises?
Continue »
Workload identity federation supports OpenID Connect, so it should be compatible with AD FS. But until recently, workload identity federation didn’t work with AD FS-issued access tokens – only ID tokens worked properly. What was the issue there?
Continue »
Some Google Cloud APIs don’t support service accounts and require us to use domain-wide delegation. But using domain-wide delegation doesn’t mean we have to use service account keys.
Continue »
By default, IAP Desktop uses the rsa-ssh public key signature algorithm when authenticating to a Linux VM. That can be a problem in certain situations, which is why the latest version now adds support for ECDSA.
Continue »
.NET and .NET Framework don’t provide any methods to export RSA public keys in PEM format. But with some extension methods and a little help from CryptoAPI, we can fill that gap.
Continue »
In .NET 5 and 6, we can use RSA.ImportFromPem to import a PEM-formatted RSA public key. Older .NET Core versions and .NET Framework don’t offer that functionality – but with a little help from CryptoAPI, we can fill that gap.
Continue »
Workload identity federation lets us impersonate a Google Cloud service account by using credentials from an external identity provider. That’s a useful and powerful feature, but there are some things to watch out for.
Continue »
One of the more confusing aspects of dealing with public key cryptography is that there are so many different file formats. Let’s take a closer look at the most common one, PEM.
Continue »
By using certificate-based authentication, we can let a Google Cloud service account authenticate to AD FS without having to manage any client secrets.
Continue »
A common way to let an application authenticate to KeyCloak is to use a client ID and secret. But when the application runs on Google Cloud, we can do better.
Continue »
Using Integrated Windows Authentication (IWA) to authenticate to AD FS not only works for OAuth. We can also use IWA to get SAML 2.0 assertions.
Continue »
When an application needs to authenticate to AD FS, we don’t have to use a client secret. Instead, we can let the application use its existing Kerberos or NTLM credentials to authenticate.
Continue »
In the last post we looked at how to set up a trust policy and role in AWS so that we can use a Google ID token to authenticate to AWS. But how do we actually use this in C#?
Continue »
By using workload identity federation, we can let applications use AWS credentials to authenticate to Google Cloud. That’s useful if we have an application that runs on AWS and needs access to Google APIs. But what if we are in the opposite situation, where we have an application on Google Cloud that needs access to AWS?
Continue »
When a web server requires mutual TLS authentication, the default behavior of web browsers is to show a dialog that lets us choose which client certificate we’d like to use. Chrome lets us suppress these prompts by using the AutoSelectCertificateForUrls policy. But documentation is scarce.
Continue »
Most browsers support client certificates for mutual TLS authentication. But what is really being authenticated here, the end user, their device, or both?
Continue »