Let’s jump into implementing the code for federated authentication in Sitecore!
If you’ve missed Part 1 and/or Part 2 of this 3 part series examining the federated authentication capabilities of Sitecore, feel free to read those first to get set up and then come back for the code.
Part 1: Overview
Part 2: Configuration
For this example, we’ll be using the SAML2p library by Sustainsys – formerly known as Kentor. You’ll see some references to Kentor in the code – the version available as of this blog post is still in the middle of the process of renaming so you’ll see the “Kentor” name scattered around the code. Just know that this is the Sustainsys SAML2p library.
Fortunately the library provides OWIN middleware for authentication so it will be fairly straightforward to implement. There are a couple of sections that will need to be configured:

Registering the SAML2 Identity Provider

The SAML2 identity provider will need to be registered in Sitecore to be used with the appropriate sites. More details around this config file can be found in Part 2. For now, this is the config file for the SAML2 identity provider:

There is nothing particularly special about this configuration – just be aware that there is a mapping in this config that maps everyone who logs in with the saml2 identity provider to be administrators. You should most definitely take that out.

Injecting into the OWIN Pipeline through the Sitecore <owin.identityProviders> Pipeline

Now comes the fun code part! We’ll need to create a class that overrides Sitecore.Owin.Authentication.Pipelines.IdentityProviders.IdentityProvidersProcessor. This will be a Sitecore pipeline processor that Sitecore will execute at the appropriate time in the OWIN pipeline for authentication. The ProcessCore method is where you’ll be doing all the work for the authentication. The method provides a parameter of type Sitecore.Owin.Authentication.Pipelines.IdentityProviders.IdentityProvidersArgs that provides a reference to Owin.IAppBuilder to which you can hook up middleware. You’ll see in the code below that some options are set for the Sustainsys SAML2 OWIN middleware and the code args.App.UseSaml2Authentication(options) is called. This registers the SAML2 middleware with the OWIN pipeline.

Executing Claims Transforms on the ClaimsIdentity

In your identity provider configuration, you have the option of setting claims transformations for that specific identity provider. However, there are some shared claims transformations that apply to all providers – one in particular that is in by default is the one for the idp claim. You’ll notice in line 41 of Saml2IdentityProviderProcessor.cs that there is a hook into a notification provided by the SAML2 middleware that will execute the following code:
var identityProvider = GetIdentityProvider();
((ClaimsIdentity)result.Principal.Identity).ApplyClaimsTransformations(new TransformationContext(FederatedAuthenticationConfiguration, identityProvider));

Basically, this ensures that after authentication is complete, all of the claims transformations are executed on the returned ClaimsIdentity so that the expected claims are being created on the identity. This should be executed whenever authentication is complete – other authentication middlewares may provide other events such as OnAuthenticate that you can hook into and execute similar code.
Believe it or not, that’s it! This is a more complex example than usual due to its need for an external library, however, there are built in NuGet packages for other authentication providers that are quite straightforward to set up. If you’d like to see this example and others, including implementations for Facebook, Google, and Azure AD with OpenID Connect, feel free to peruse this GitHub repository. Enjoy!

Mario Greco, CEO of Zurich Insurance Group, one of the world’s largest insurance companies, sat down with CNBC following the release of the company’s Q4 2017 earnings. He shared his views on how the industry is doing as a whole, as well as how Zurich is maintaining its leadership position in such a competitive environment.

“The industry is in a fantastic state of transformation. It’s something that we’ve been waiting for a long time. It is exciting. It’s happening very, very fast, and very quickly,” Greco said. When speaking specifically about his company’s growth plan, Greco said the company is “riding this wave of transformation” and that it has every intention of continuing to invest in assets that help the company expand its ability to reach and serve new customers. “We’re transforming the way we’re dealing with the customers, and we’ll continue doing that.”

Greco’s positive tone and outlook on the industry isn’t unique by a long shot. Even after a year full of natural disasters (2017 happens to be the costliest year on record for the global insurance industry) and the potential financial burden (i.e., more claims) that climate change can place on insurers moving forward, the overall feeling about the future is optimistic. That optimism comes from the stability these companies have managed to develop. It stems from a focus on the fundamentals of the business, which includes pricing and assuming risk, interest earnings, and revenue, as well as claims and loss handling. After all, the Holy Grail for insurance companies is to market effectively and minimize administration costs.

—

To learn what else is driving growth, productivity, and efficiency, download our new guide: 2018 State of the Insurance Industry.

Although it’s been on YouTube for less than a month, IBM’s Watson at Work: Insurance video has been viewed over 1.2 million times. That’s because insurance companies are keen to streamline their claims processes.

If the number of views isn’t enough to convince you that insurers are all about Watson, consider this: Amica Mutual Insurance, Great-West Life & Annuity Insurance Company, Swiss Re Group, Česká pojišťovna, British Columbia Automobile Association (BCAA), Southern Farm Bureau Life Insurance Company, AXA, and Nationwide Mutual Insurance Company – all wildly successful insurance companies – shared how they have been leveraging Watson at last year’s World of Watson event.

https://www.youtube.com/watch?v=0qqLLrEkNEc

Watson is proving to be everything we thought it would be, which is why we’ve invested heavily in working with Watson and partnering with IBM. In fact, we were hand-picked by IBM executives and industry analysts for the 2017 IBM Beacon Award for an Outstanding Watson Solution.

Oh, and, my awesome colleague and the director of our Watson practice, Christine Livingston, sat down with IBM CEO Ginni Rometty to chat about Watson. Cool, eh?!

So, without further ado, I’d like to personally invite you to a webinar, in which that very same Christine Livingston, along with Graham Wallis, the director of our business process management (BPM) practice, will share how Watson and BPM are transforming the insurance industry. You don’t want to miss it!

If there’s one area that can spell the success or failure of an insurance carrier, it’s claims. Claims consume nearly 80% of insurance premiums in the form of payments or processing costs. Consequently, claims managers are challenged to reduce these costs, improve service levels, and gain greater control over the processing environment. As regulatory oversight and compliance become more stringent, claim volumes continue to increase. Claims managers must often cope with the inconsistent application of processing guidelines, which can boost transaction and claims costs. And, for those saddled with manual, paper-based processes, every aspect of handling a claim is slower – and more costly. According to one study, leveraging technology that transforms claims processing has the potential to reduce claims losses and expenses by up to 12%, and improve customer satisfaction.

Business process management has led transformation in the insurance industry for decades. With the emergence of cognitive technologies like IBM Watson, how can you further optimize complex, data-driven processes to gain a competitive advantage?

Join us for a webinar on June 20th to learn how to leverage cognitive solutions like IBM Watson to augment and enhance existing claims processes and transform your business. Perficient experts, Christine Livingston (Watson Practice Director), and Graham Wallis (BPM Practice Director), will cover common cognitive use cases, including:

• Integrating claims processes with streamlined, automated interactive voice response systems

• Supporting product classification leveraging images and unstructured text to aid compliance and onboarding processes

Register now with the form below!

It’s no secret that customer satisfaction scores go up when customers consistently get what they want. When they have unanswered questions about your products and services, they’re not likely to become your biggest cheerleaders. And, chances are that if your prospects find themselves with questions that can’t be answered, they’re not going to convert.

We see this all the time in banking. Visitors who use live chat for support are typically twice as likely to complete an application for a product, such as a loan, than those who don’t. Why is that? Immediacy is key. If you’re not there when they need you, they’ll go somewhere else where there’s help.

There are plenty of ways financial services companies can boost customer engagement, generate new business, and keep existing customers happy.

Can your customers search a knowledge base for answers? Can they book an appointment online and manage their account on a mobile device? How about use text messaging to find out balance information? Do you offer live text or video chat? With modern software, you have the ability to give the customer what they really want and expect in today’s world.

Join us for an upcoming webinar to learn how you can meet the high customer expectations created by companies like as Amazon.com through the use of Oracle Service Cloud and Oracle Policy Automation (OPA). To get a real taste of what can be done with this technology, we’ll even provide a live demonstration of using these solutions for loan applications.

This tutorial series explains how to issue and validate different types of tokens such as JWT(JSON Web Token) , SAML HoK(Holder-of key) using IBM DataPower gateway. In this article, you learn about the issuance and validation of JWT with firmware v 7.2.0.0.

In Part-2, you will learn to issue and validate the JWT with firmware v 7.2.0.1 in much simpler way. In Part-3, I’ll explain about issuance and validation of SAML HoK token used for SOAP based services.

What is JSON Web Token

JSON Web Token (JWT) is a compact claims representation format intended for space constrained environments such as HTTP Authorization headers and URI query parameters. JWTs encode claims to be transmitted as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plain-text of a JSON Web Encryption (JWE) structure. JWTs are always represented using the JWS Compact Serialization or the JWE Compact Serialization.

Here is an example of signed JWT. It’s comprised of 3 parts(highlighted in different colors) separated by a period (.)

Ist part is base-64 encoded JWS header value which contains information about signing algorithm. You can use any of the following algorithm to sign the Claim-set.

Asymmetric -> RS256, RS384, RS512

Symmetric -> HS256, HS384, HS512

2nd part is base-64 encoded JSON claim-set.

3rd part is base-64 encoded signature value generated after signing the encoded JWS header and payload (claim-set) with algorithm specified in JWS header.

eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJpYm1fZGF0YXBvd2VyIiwic3ViIjoiYWRtaW4iLCJleHAiOjE0NTAxMTUyODAuMTkyLCJuYmYiOjE0NTAxMTE2NzkuMTkyLCJpYXQiOjE0NTAxMTE2ODAuMTkyLCJqdGkiOiI3ZjY2NGYxNi05OGQyLTRlYzEtODlhOS04NjM3ODBkYjFhNjgiLCJhdWQiOiJBQUFNb2JpbGUifQ.G7XRUjxrvRSdFE_RRumrPtTnLvlX36eRqDC0UFZKiO3Jau9iDbPuGPeGc0g0kUrubGQAqXz1TYTAuwcNnF58FWQjm9ovZrFH-fvGEpiYKjSctAsldj_ecQRw4jX5YKOYd1zbdr67-zUJN0n8J1iNJiJeVyGBCvz7jiiwCcZSXGRUkAqy-zwq_jULfZoi7QIS1s4f_K5WeQu4PVEhe30tovffegHdxAPZm0ptQT88l3UuuC5zNW7QxQH-6MywLvI3jYttrJ_jhIXUiNFyWDSkNKbcfUwjV2ez5IlPMfQgVFVoMMecaxJ5qlzRr8-okrpgaSQt5xx6gIL-gEZtV7Cd5g

Standard/Registered Claim names

None of the claims defined below are intended to be mandatory to use or implement in all cases, but rather, provide a starting point for a set of useful, interoperable claims. Applications using JWTs should define which specific claims they use and when they are required or optional. All the names are short because a core goal of JWTs is for the representation to be compact.

• iss (Issuer)
• sub (Subject)
• aud (Audience)
• exp (Expiration Time)
• nbf (Not before)
• iat (Issued At)
• jti (JWT ID)

Take a look at following link to get more details around these claim names. We can even define the custom claims based on the requirement.

Claims Description

Using Firmware 7.2.0.0

As most of you will be aware of that Data Power firmware v 7.2 provide enhanced message-level security for mobile, API, and web workloads by using JSON Web Encryption for message confidentiality, JSON Signature for message integrity and JSON Web Token to assert security assertions for Single Sign On (SSO).

Though Firmware 7.2 does provide actions to Sign, Verify, and Encrypt and Decrypt the JSON payload but there are no such actions available to generate and validate JSON Web Tokens. You have to write the Gateway Script to perform these functionalities.

Here are the sample Gateway scripts that I developed to generate and validate JWT.

Post successful Authentication/Authorization, configure the following gateway script in GatewayScript action in Request processing rule to issue the token.

createJWT.js

// Import Required packages

var jose=require(‘jose’);

var jwt=require(‘jwt’);

var sm=require(‘service-metadata’);

sm.mpgw.skipBackside=true;

session.INPUT.readAsJSON(function(error,json)

{

if(error)

{

session.output.write(‘Error reading JSON’ + error);

}

else

{

var claims={

“iss”:”ibm_datapower”,

“aud”:”Audience_name”, // Replace ‘Audience Name’ with actual value.

“iat”: new Date().getTime(),

“exp”:(new Date().getTime()) + 10000, //Token will get expire in 10 sec.

};

//Sign the token with RS256 algorithm. Replace ‘Crypto Key Object Name’ with actual object name created on box.

var jwsHeader=jose.createJWSHeader(‘Crypto Key Object Name’,’RS256′);

var encoder=new jwt.Encoder(claims);

encoder.addOperation(‘sign’,jwsHeader)

.encode(function(error,token) {

if (error) {

session.output.write(‘Error creating JWT’ + error);

}

else {

session.output.write(token);

}

}

);

}

}

)

For validation, pass the JWT in HTTP header as shown below.

Authorization : Bearer “JWT string”

validateJWT.js

//Import Required Packages

var jwt=require(‘jwt’);

var hm=require(‘header-metadata’);

var sm=require(‘service-metadata’);

sm.mpgw.skipBackside=true;

//Retrieve Authorization HTTP Header value.

var bearertoken=hm.current.get(‘Authorization’);

// Retrieve the JWT token.

var buff=bearertoken.substring(7);

var jwttoken=buff.toString();

var decoder=new jwt.Decoder(jwttoken);

decoder.addOperation(‘verify’,’Crypto Cert Object Name’)

.addOperation(‘validate’,{‘aud’:’Audience_Name’})

.decode(function(error,claims) {

if(error)

{

session.output.write(‘Error validating JWT’ + error);

}

else

{

session.output.write(claims);

}

})

(This article is the second in a two-part series.  For Part 1, please click here.)
If I were a decision maker or purchasing manager in an enterprise IT department, this is how I’d like to view SharePoint CALs (CAL is shorthand for Client Access License in the Redmond Universe): a “solution first” approach that tells me what I’m getting and why.  How does it all work together?  Don’t tell me about Search, Web Content, and Mobility as separate swimlanes.  Tell me how they can be combined in a single solution that serves my business needs.
It’s with THAT perspective in mind that I want to look at Internet Sites and Extranets in SharePoint 2013.
Internet Sites
The best SP 2013 websites I’ve seen to date heavily leverage content by search– dynamic assembly of content– and mobile features.  If you look at these traditionally, they’re from two functional areas: “Search” and “Web Content”.  The reality is, they’re both equally important elements of a good SP 2013 internet site.

• There is no longer a specific SKU for SharePoint Server For Internet Sites (the old “FIS” Server).  Following on this, there is no longer a FAST for Internet sites either.
• Enterprise is further required if you want to use SharePoint for public-facing Internet sites.
• The content by search webpart– which we leverage for dynamic content assembly– is available only in Enterprise.

The bottom line is that Internet sites in SharePoint 2013 are significantly less expensive to license than those built on SharePoint 2010 FIS, but boast significant leaps in functionality– device channels  and image renditions, metadata-driven navigation, dynamically-generated content, and content targeting– that were not available in the previous, significantly more expensive product.
Extranet Platforms
In general, an Extranet’s feature set tends to resemble the more collaborative aspects of an Intranet.  Unlike intranets, though, a thorn in the side of SharePoint Extranet projects for many years has been the issue of authentication.  Now that claims is the default for authentication to SharePoint, the road has been paved for Microsoft to address this issue… and address it they have.
Microsoft has made things a lot more comfortable for Extranet users– people not in your Active Directory or on your payroll that may include vendors, partners, contractors, or even customers.
Some key points for this solution:

• The external users outlined above DO NOT NEED LICENSES (but internal users still require CALs for authentication– no free rides here!)  This is a nice line in the sand.  With Claims as the primary authentication method, you don’t need to worry about Active Directory anymore.
• Extranets do face the Internet– so you do need Enterprise to make them work.
• Office 365 users get 10,000 external user CALs.  That’s a whopping big extranet, and another great reason to think about the Microsoft cloud.

In summary, you now need SharePoint Enterprise to do either a public Internet site or an Extranet platform on SharePoint, but that’s not a bad thing.  It’s no longer prohibitively expensive, and beyond that, it’s packed with features to make it a better web content platform.  Got questions?  Shoot me an email at rich.wood@perficient.com.

SharePoint 2013 (or “Wave 15” as we unabashed Microsoft fanboys have been calling it) has been in public beta for a little over two weeks now, and we’re starting to see some more discussion of new features and functions around the web.  Our own Microsoft blog is no exception.
A number of our customers have been involved in the TAP for SharePoint 2013 all along, and they’ve graciously allowed us to work with them in exploring the new technology and developing exciting new solutions since well before the public beta became available.
You might already have noticed that several of our consultants are sharing the deep knowledge they’ve built up in delving into these and other topics since early this year, but just in case you haven’t, I thought I’d call your attention to some of the “best of the blog” that we’ve published so far.

What have we got for you?  Try this on for size….
Amol Ajgaonkar has gone deep into a number of topics around Web Content Management that would be of interest to anyone looking at SharePoint as a platform for an intranet or internet sites.

• Amol not only introduces the Mobile Panel, but shares some awesome work he’s done in solving its shortcomings with a customized version.
• He tackles a topic of interest to multinational companies—and those with a multinational customer base— by showing how to automate the translation of Managed Metadata term sets into additional languages with Machine Translation.
• Speaking of Managed Metadata, Amol presents a fantastic overview of that and other key WCM topics as well
• Amol also covers the Image Renditions feature—scaling and sizing images on a web page to save bandwidth (and from an admin’s perspective, avoid redundancy)—with an extensive deep dive.  The series is split into not one, not two, but three separate sections:
  • Image Renditions Overview
  • Image Renditions Deep Dive Part 1
  • Image Renditions Deep Dive Part 2

Amol’s posts are not only well-detailed and easy to follow from a learning perspective, but they are chock-full of screen clippings and clear illustrations of what following his instructions actually looks like.
Andrew Schwenker tackles another topic of significant interest to anyone using SharePoint as the basis for their internet platform—claims.  You can’t keep all those users in Active Directory, after all!  In both an introductory post (“What Can Claims do for You?”) and a more detailed justification (“Your New Best Friend”), Andrew explains why claims-based authentication just might be the security solution for you.
We’ve also seen Will Tseng get into the game with a quick take on creating a managed property in SharePoint 2013 Search.  I’m very interested in seeing more from Will on Search, and getting a better feel for how Microsoft has further integrated the FAST product into SharePoint as a whole.
I’m sure there will be more where these came from, and soon.  Until then—stay tuned!