Thursday, 22 September 2016

The road to becoming an MCSD: Web Applications 3/4: Exam 70-486

I wanted to pass the 70-486 exam as the second step in my quest for MCSD (see my previous post). To do so, I might just try the exam out and see how I would do, but that would also mean I would not get any refresh course on the exam objectives, which was part of the goal.

How to pass Microsoft Exam 70-486 (Developing ASP.NET MVC 4 Web Applications) in 30 days

On the internet you can find a good guide into building your career: www.developerhandbook.com. It also has a chapter on how to pass the 70-486: http://www.developerhandbook.com/career/pass-microsoft-exam-70-486-in-30-days/. It shows some books which might help you:

This book was written by William Penberthy. And its terrible not the best book I’ve ever read.

Pros; Each objective on the exam receives equal coverage.  There are some good insights into the various technologies at a high level, and the author is clearly very experienced in this field.

Cons;  This is the official book from Microsoft from the 70-486 exam, and it is somewhat off the mark.  The objectives/sections/chapters are disjointed and only covered at a very high level.  The book is severely lacking in detail and code samples/walkthroughs.

If you really want to read a book, I highly recommend reading Professional ASP.NET MVC 4, which was written by Jon Galloway, Phil Haack, Brad Wilson, Scott Allen and Scott Hanselman. Five people who are leading experts in this field. I learnt a lot from this book, it flows well, there are sufficient code samples and the book is very engaging.

But I am not one to learn much from books. I learn a lot more from doing and lectures. The site also has a list of Pluralsight training videos which is more my style of learning:

Here are some of the videos I watched whilst preparing for this exam; (Make sure you follow along whilst the presenter is talking!)

Pluralsight course playlist

Based on that list of Pluralsight courses I created my own playlist:
As you might notice, I just skipped the one about Windows Azure Fundamentals. I did start the lecture, but noticed very soon that it is heavily outdated. Azure has been changed so much since the lecture was posted (around 2010), that I did not find it profitable to spend my time on.

So I started to follow the courses listed.

It is indeed important to make sure you follow along whilst the presenter is talking! But the courses feel sometimes very slow paced if you know the subject, and you feel the urge to skip to the more interesting parts. Like I told in my previous post I like to play them in double speed.

Especially the lecture about claims based identity was very informative. Although I am already used to implement OAuth and AzureAD for authorization, it told the very basics of why it works and in general how. Even if you're not going for an exam, this lecture is a must-see for any web developer.

I felt confident enough to pass the exam, so I planned the exam.

Examination time!

I did not pass it, with a score of 658 out of 1000. According to the result I was weakest in the following skill areas:

  • Design and implement routes. This objective may include but is not limited to: define a route to handle a URL pattern; apply route constraints; ignore URL patterns; add custom route parameters; define areas
  • Configure and apply authorization. This objective may include but is not limited to: create roles; authorize roles by using configuration; authorize roles programmatically; create custom role providers; implement WCF service authorization
  • Configure state management. This objective may include but is not limited to: choose a state management mechanism (in-process and out of process state management, ViewState); plan for scalability; use cookies or local storage to maintain state; apply configuration settings in web.config file; implement sessionless state (for example, QueryString)
So I've got to do some more learning and training on those points.

To be continued ...

Disappointing of course to not pass the exam. I'll do some more studying and retry the exam. I will keep you posted whether I pass it the next time...

Tuesday, 12 July 2016

The road to becoming an MCSD: Web Applications 2/4: Exam 70-480

I wanted to pass the 70-480 exam as a first stepping stone in my quest for MCSD (see my previous post). To do so, I might just try the exam out and see how I would do, but that would also mean I would not get any refresh course on the exam objectives, which was part of the goal.

How to pass Microsoft Exam 70-480 (HTML 5, CSS3 and JavaScript) in 30 days

On the internet you can find a good guide into building your carreer: www.developerhandbook.com. It also has a chapter on how to pass the 70-480: http://www.developerhandbook.com/career/how-to-pass-microsoft-exam-070-480-html-5-css-3-and-javascript-in-30-days/. It shows some books which might help you: 
Programming in HTML 5 with JavaScript and CSS 3
This book was authored by Glenn Johnson and was written specifically to help you pass the exam by giving hands on, practical examples, specifically target at the exam objectives.
Each chapter is divided into manageable sections, complete with hands on exercises (usually one or more per chapter).  This book very much helps you learn by doing, which in my opinion, is the best way to learn.
I believe that if I hadn’t read this book, I genuinely believe I wouldn’t have passed the exam.
But I am not one to learn much from books. I learn a lot more from doing and lectures. The site also has a list of Pluralsight training videos which is more my style of learning:
Here are some of the videos I watched whilst preparing for this exam; (Make sure you follow along whilst the presenter is talking!)
And probably the most important video on the site (from your perspective at least ) … HTML 5 Advanced Topics.

Pluralsight course playlist

Based on that list of Pluralsight courses I created my own playlist:

And started to follow the courses listed.

It is indeed important to make sure you follow along whilst the presenter is talking! But the courses feel sometimes very slow paced if you know the subject, and you feel the urge to skip to the more interesting parts. Than I found out (thanks for the tip Silvan Thus!) you can set the pace of the video yourself from 0.5x to 2.0x. I've set the pace to 2.0x when the course is handling the basics and to 1.0x if it gets to something new. Be sure though to not start at 2.0x. Your mind has to first focus on the course, and then after a minute or so you can set it to 1.5x and after another minute to 2.0x.to get onto

Now I got a lot of basics refreshed and even some new which I did not know. But when I got to the sixth, Learning to Program ..., I was getting bored by the videos. I had done the JavaScript track on CodeSchool last year, and there wasn't much new coming through. I felt confident enough to pass the exam, so I planned the exam.

Examination time!

I did pass it, with a score of 778 out of 1000. A tip to focus on during training: The exam focused much on how to use Ajax without the use of jQuery or other libraries, so make sure you check you know the XhrRequest fundamentals.

To be continued ...

So that was exam 1 of 3 on the road to becoming MCSD, 2 to go. Next blogpost will be about passing the exam MS 70-486: Developing ASP.NET MVC Web Applications.


Thursday, 23 June 2016

Implementing Single-Sign-On with ADFS 3.0 in an ActiveAdmin Ruby on Rails application

My company uses ADFS 3.0 to provide Single-Sign-On possibilities for its employees to make use of Microsoft's Office 365 solutions. It also has a couple of web applications in Ruby on Rails which can be used by the employees to do several tasks for the business.
Until now those RoR applications have their own login and user administrations. This provides a security risk. You need to go by all those applications, one by one, to remove or disable accounts of employees who left the company, to make sure they cannot log in anymore on those applications. So we started to replace those user account administration with the same SSO possibilities as the Office 365 applications. When that is complete, you only have to disable the account of the employee on a single point, in Active Directory, and ADFS will make sure he or she cannot log in anymore in any of the applications.

I've found a gem which, with a little configuration, can be used to do exactly that. DeviseSamlAuthenticatable is a Single-Sign-On authentication strategy for Devise that relies on SAML. It uses ruby-saml to handle all the SAML related things.

Installation

gem 'devise_saml_authenticatable'
  • Execute bundle install:
bundle install

Usage

In app/models/<YOUR USER MODEL>.rb set the :saml_authenticatable strategy. In a default ActiveAdmin implementation the model is admin_user.rb:

class AdminUser < ActiveRecord::Base
  # Include devise modules. Others available are:
  # :confirmable, :lockable, :timeoutable, :omniauthable
  # :database_authenticatable, :recoverable, :rememberable,
  # :trackable, :validatable
  devise :saml_authenticatable, :trackable

And add a method to load the SAML data into the user, also in admin_user.rb:

  def self.load_saml_data attributes
    admin_user = where(email: attributes['email']).first_or_create do |user|
      user.email = attributes['email']
    end
    admin_user.save!
    admin_user
  end

In the config directory create a YAML file (config/attribute-map.yml) which will contain the mappings from the attributes in the SAML response of ADFS to the attributes used in admin_user.rb:

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "email"

Add a SAML sessions controller in app/controller/saml_sessions_controller.rb:

class SamlSessionsController < Devise::SamlSessionsController
  skip_before_filter :verify_authenticity_token

  def new
    request = OneLogin::RubySaml::Authrequest.new
    action = request.create(saml_config, {'RelayState' => 'https://your.application.com/admin/saml/auth'})
    redirect_to action
  end

  def create
    begin
      response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], settings: saml_config)
      if response.is_valid?
        attribute_map = YAML.load(File.read("#{Rails.root}/config/attribute-map.yml"))
        attributes = Hash[response.attributes.map { |k, v| [attribute_map[k], v[0]] }]
        @user = AdminUser.load_saml_data attributes
        session[:userid] = @user.email
        if @user.persisted?
          flash[:notice] = 'Signed in successfully.'
          sign_in_and_redirect @user, :event => :authentication
        end
      else
        raise 'Invalid response'
      end
    rescue Exception => e
      flash[:notice] = e.message
      redirect_to root_path
    end
  end
end

Set the new routes in config/routes.rb:

Rails.application.routes.draw do
  devise_config = ActiveAdmin::Devise.config
  # see https://github.com/activeadmin/activeadmin/wiki/Log-in-through-OAuth-providers for this use
  devise_config[:controllers][:saml_sessions] = 'saml_sessions'
  devise_for :admin_users, devise_config  
  ActiveAdmin.routes(self)

In config/initializers/devise.rb add the configuration settings for saml authenticatable:

  # ==> Configuration for :saml_authenticatable
  # Create user if the user does not exist. (Default is false)
  config.saml_create_user = true

  # Update the attributes of the user after a successful login. (Default is false)
  config.saml_update_user = true

  # Set the default user key. The user will be looked up by this key. Make
  # sure that the Authentication Response includes the attribute.
  config.saml_default_user_key = :email

  # Optional. This stores the session index defined by the IDP during login. If provided it will be used as a salt
  # for the user's session to facilitate an IDP initiated logout request.
  config.saml_session_index_key = :session_index

  config.saml_use_subject = true

  # Configure with your SAML settings (see [ruby-saml][] for more information).
  config.saml_configure do |settings|
    settings.assertion_consumer_service_binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
    settings.assertion_consumer_logout_service_binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'

    # sp settings
    settings.assertion_consumer_service_url= 'https://your.application.com/admin/saml/auth'
    settings.issuer = 'https://your.application.com/admin/saml/metadata'  settings.authn_context = ''
    settings.name_identifier_format = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'

    # Optional for most SAML IdPs  
    settings.authn_context = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
 
    # X509 certificate of IDP to validate saml response
    # https://github.com/onelogin/ruby-saml#metadata-based-configuration
    idp_metadata = OneLogin::RubySaml::IdpMetadataParser.new.parse_remote('https://adfs.yourcompany.com/federationmetadata/2007-06/federationmetadata.xml')
    settings.idp_cert = idp_metadata.idp_cert
    settings.idp_sso_target_url = idp_metadata.idp_sso_target_url
    settings.idp_slo_target_url = idp_metadata.idp_slo_target_url

    # Private key of sp  
    settings.private_key = File.read('sp_private.key') if File.exist?('sp_private.key')

    # certificate of sp
    settings.certificate = File.read('sp_certificate.pem') if File.exist?('sp_certificate.pem')

    settings.security[:authn_requests_signed] = true
    settings.security[:logout_requests_signed] = true
    settings.security[:logout_responses_signed] = true
    settings.security[:metadata_signed] = true
    settings.security[:digest_method] = XMLSecurity::Document::SHA1
    settings.security[:signature_method] = XMLSecurity::Document::RSA_SHA1
    settings.security[:embed_sign] = false  
  end

Generate a new self-signed certificate for your newly created Service Provider:
openssl req -x509 -newkey rsa:2048 -keyout sp_private.key -out sp_certificate.pem -days 3650 -nodes
While your application is running, the metadata of the SP should now be available at https://your.application.com/admin/saml/metadata.

Add the newly created sp to ADFS (see https://technet.microsoft.com/en-us/library/dd807132(v=ws.11).aspx for help how to do that).

Some extra help

When I tried implement everything I had some trouble with choosing the correct certificate which I should use for the IDP, and whether I got the correct attributes in my SAML response from the ADFS. I found https://www.samltool.com a great tool for this.


Wednesday, 25 May 2016

The road to becoming an
MCSD: Web applications
1/4: Starting up

I've set myself a goal: Become a Microsoft Certified Solutions Developer!

Why?

First a little history before answering that question.

I've been working as (web) application developer for about 10 years now. At first I started programming in C#.NET 1.1 building client applications. Client applications looked very nice back then with Visual Studio helping out with code snippets, drag-and-drop engineering and fancy features. 

But then the Internet really took off. So building web application became the new black. ASP.NET provided webforms for that. Again with code snippets, drag-and-drop engineering and similar fancy features. In a way, it was easy to create web applications with just a few tool sets and A LOT of boiler plating to create a web application that looked OK, but it did not really feel elegant. If you looked at the generated HTML the feeling worsened.

The open source community was already creating a superior product to do the same outside of the Microsoft environment: Ruby on Rails. It delivered a very flexible and robust web application building platform using the active record pattern for data management and the mvc pattern for the front-end build-up. With RoR it was possible to build elegant web applications without all the boilerplate code.

Microsoft filled the gap by providing the ASP.NET MVC libraries. Then it became possible to create elegant web applications and still work in a Microsoft environment. I could get best of both worlds!

So again, why?

In the past 10 years I learned a lot about how to code and how not to code, and did it all self-taught, and a lot of Google searching. Now that in itself is not a bad thing, but I've also noticed that I missed a solid foundation for the knowledge I pertained. So I decided to go back to the basics, starting from the ground up.

What do you need to become an MCSD?

A good start is to take a look at the certification page at Microsoft. Which tells us that there are 4 flavours:

As I will primarily create web applications the road seems clear now: MCSD Web Applications.
It even shows the exams I need to get before I can call myself an MCSD:


So I have to take 3 exams. Sounds fair to me. But then, I need to get a hold on the to-be-examined knowledge. Where can I find it?

Learning from books?

Learning from books takes a lot of time, and most of the curriculum is already known to an experienced web developer like me. So that would seem cumbersome for me. Apart from that, the technologies develop faster in the world of software engineering than the writers can write them down. Often the techniques described in the books are already outdated when you buy the book.

Learning in courses?

Courses deliver the same curriculum in less time, but on the other hand are not very cheap to come by.

Pluralsight

Luckily there is something like Pluralsight. Learning from the pro's in my own time and speed, and I can skip the parts which are already known to me.

To be continued ...

In my next blogpost I will show my road to the first exam: MS 70-480: Programming in HTML5 with JavaScript and CSS3.