none
Blanket Protected Web Application using Google ID

All replies

  • It's a combination of OpenID and WS-Federation: from Google to windows.net, it is using OpenID; from windows.net to microsoft.com, it is using WS-Federation.

    Rui Wang


    Wednesday, April 11, 2012 5:20 PM
    Owner
  • It's a combination of OpenID and WS-Federation: from Google to windows.net, it is using OpenID; from windows.net to microsoft.com, it is using WS-Federation.

    Rui Wang


    Does it make sense to break this into two cases: Google to windows.net, and windows.net to microsoft.com?
    Wednesday, April 11, 2012 5:33 PM
    Owner
  • It's a combination of OpenID and WS-Federation: from Google to windows.net, it is using OpenID; from windows.net to microsoft.com, it is using WS-Federation.

    Rui Wang


    The page after login shows a SAML Token. I wonder how SAML gets into this scheme. Isn't it a combination of OpenID and WS-Fed?
    Wednesday, April 11, 2012 5:58 PM
    Owner
  • It's a combination of OpenID and WS-Federation: from Google to windows.net, it is using OpenID; from windows.net to microsoft.com, it is using WS-Federation.

    Rui Wang


    Does it make sense to break this into two cases: Google to windows.net, and windows.net to microsoft.com?

    The traffic is not very complex. I think it's fine to study them together. The most interesting part for me now is how the two are combined together.


    Rui Wang

    Thursday, April 12, 2012 4:49 PM
    Owner
  • For LiveID, it is tricky. Below is the first URL that you will visit if you choose Windows Live ID to login.

    https://login.live.com/login.srf?wa=wsignin1.0&wtrealm=https%3a%2f%2faccesscontrol.windows.net%2f&wreply=https%3a%2f%2fmieszkotestmigration0403.accesscontrol.windows.net%3a443%2fv2%2fwsfederation&wp=MBI_FED_SSL&wctx=pr%3dwsfederation%26rm%3dhttps%253a%252f%252fmmatkow07.redmond.corp.microsoft.com%252fMigratingTenantRpmieszkotestmigration0403%252fdefault.aspx%26ry%3dhttps%253a%252f%252fmmatkow07.redmond.corp.microsoft.com%252fMigratingTenantRpmieszkotestmigration0403%252fdefault.aspx%26cx%3drm%253d0%2526id%253dpassive%2526ru%253d%25252fMigratingTenantRpmieszkotestmigration0403%25252fdefault.aspx

    An interesting field is wtrealm, which seems to be the domain of the RP. But if you change this field to be any domain, such as cnn.com

    https://login.live.com/login.srf?wa=wsignin1.0&wtrealm=https%3a%2f%2fcnn.com&wreply=https%3a%2f%2fmieszkotestmigration0403.accesscontrol.windows.net%3a443%2fv2%2fwsfederation&wp=MBI_FED_SSL&wctx=pr%3dwsfederation%26rm%3dhttps%253a%252f%252fmmatkow07.redmond.corp.microsoft.com%252fMigratingTenantRpmieszkotestmigration0403%252fdefault.aspx%26ry%3dhttps%253a%252f%252fmmatkow07.redmond.corp.microsoft.com%252fMigratingTenantRpmieszkotestmigration0403%252fdefault.aspx%26cx%3drm%253d0%2526id%253dpassive%2526ru%253d%25252fMigratingTenantRpmieszkotestmigration0403%25252fdefault.aspx

    The request will still succeed. This means that the field is actually not used.


    Rui Wang

    Sunday, April 15, 2012 5:13 AM
    Owner