Evaluating the Effectiveness of Control-Flow Integrity

AI agent identity management cybersecurity enterprise software Control-Flow Integrity CFI effectiveness
Pradeep Kumar
Pradeep Kumar

Cybersecurity Architect & Authentication Research Lead

 
January 7, 2026 6 min read
Evaluating the Effectiveness of Control-Flow Integrity

TL;DR

This article explores if control-flow integrity (CFI) actually stops modern hackers, covering everything from basic stack protection to complex turing-complete attacks like control-flow bending. We look at how enterprise software and ai agents handle these security layers while highlighting why just having cfi isn't enough to stay safe without shadow stacks or better identity governance.

Getting started with ADFS and SAML

Ever tried wrestling with adfs for saml? It's a bit of a beast but gets the job done for enterprise sso.

Before you touch the server, make sure you got:

  • Active Directory where every user has an email attribute.
  • Windows Server (2008 or newer) with the adfs role. (Note: While older versions work, 2012R2+ is way better for modern features).
  • A SSL certificate for the federation service.
  • The metadata or reply url from your app (like the one for Power Pages).

Diagram 1

According to Microsoft Learn, adfs works as a standard saml 2.0 provider for things like Power Pages or B2B apps.

Next, we'll actually build the trust.

Setting up the Relying Party Trust

Setting up the trust is where things usually get messy if you try to automate it right away, so I always tell teams to go manual first. It's better to see the guts of the config before you start scripting everything.

Open your adfs management tool and right-click "Relying Party Trusts" to kick off the wizard. You'll want to pick "Enter data about the relying party manually" because uploading a metadata file from a dev environment often throws weird schema errors that are a pain to debug. (Metadata file '.dll' could not be found - Stack Overflow)

  • Display name: Give it something obvious like "Writer-Production-SSO" or "Retail-Portal-Auth" so the next admin knows what it is.
  • Protocol: Choose the adfs profile (usually 2.0) and make sure you check the box for saml 2.0 WebSSO.
  • Service URL: Paste that reply url you got from your app—just make sure it's https because adfs will flat out refuse to work over unsecured lines.
  • Identifiers: This is the part people miss! In the Identifiers tab, you gotta add the 'Relying party trust identifier'. This is usually a URI or URN that matches the 'Issuer' your app sends. If this doesn't match exactly, adfs won't even talk to the app.

Diagram 2

According to Writer Help Center, you also gotta make sure there’s no trailing slash on your service url or the saml post might fail. I've seen this break setups in finance and healthcare apps more times than I can count.

Once the basic trust is sitting there, we gotta tell adfs which users are actually allowed to talk to it. By default, adfs allows everyone in your domain, but you can restrict this in the Issuance Authorization Rules tab if you only want specific groups to have access. Next, we'll handle the claim rules to map your directory attributes.

Mapping user data with Claim Rules

So, you got the trust built but your app still doesn't know who is trying to log in? That's because adfs is sending an empty envelope. You gotta use claim rules to actually put some data—like an email or a username—inside that saml assertion.

To get things moving, you need two specific types of rules. First is the "Send LDAP Attributes" rule which grabs data out of Active Directory. The second is a "Transform" rule, which is usually where people trip up because it handles the Name ID—the unique key most apps use to identify a user.

  • LDAP Mapping: Create a rule called "Send Email" and map "E-Mail-Addresses" to the outgoing claim "E-Mail Address". This is standard for most B2B SaaS setups.
  • Transforming to Name ID: Apps like the ones discussed in the Writer Help Center need the email to be sent specifically as a Name ID.
  • Rule Order: Adfs processes these in order. Ensure the Incoming Claim Type in your Transform rule exactly matches the Outgoing Claim Type defined in your LDAP Mapping rule. If you transform a claim that hasn't been "issued" yet by an ldap rule, the login will fail with a "null" identifier.

Diagram 3

As noted earlier in the Microsoft documentation, using a Persistent Identifier is often safer for long-term stability in enterprise environments (like healthcare or finance) because it doesn't change if a user changes their last name or email address.

Once those rules are saved, your app should finally start seeing actual user data. Next, we'll tweak the advanced trust settings to make sure the encryption actually matches.

Fine tuning and security settings

Ever had a user complain that they can't sign out, or worse, the login just loops forever? Usually, it's because the "fancy" advanced settings don't match what the app expects.

Once the basic trust is live, you gotta go into the Advanced tab. Most modern apps—including those built on Power Pages as mentioned earlier—require sha-256 for signing. ADFS often defaults to SHA-1, which is basically a relic now and will get your saml assertions rejected by any secure service.

  • Secure Hash Algorithm: Flip this to SHA-256 immediately.
  • Logout Endpoints: For saml, you need to add a "SAML Logout" endpoint. Use the POST or Redirect binding depending on what your app wants. Don't use the old ws-fed ?wa=wsignout1.0 string here; instead, use the specific saml logout path provided by your app developer.
  • Monitoring: Check the "Monitoring" tab to ensure your adfs server is actually pulling the app's metadata updates periodically.

Diagram 4

According to Bentley Systems, ensuring the federation metadata is published correctly is vital for cross-org trust stability, especially in large scale engineering or infrastructure setups.

If you don't check the "Publish organization information" box, some external api gatekeepers might block the auth flow because they can't verify who you are.

Testing the connection

Before you start pulling your hair out with troubleshooting, you gotta verify if the server is even breathing.

  • Use the IdP-initiated sign-on page (usually https://yourserver.com/adfs/ls/idpinitiatedsignon.aspx).
  • If you don't see your app in the dropdown, the trust isn't enabled or the identifier is wrong.
  • Try logging in there first. If it works there but not from the app, the issue is on the app's redirect side, not your adfs config.

Troubleshooting common ADFS errors

Look, even if you nail the setup, adfs will eventually throw a tantrum. Most of the time, it's just a certificate mismatch or a goofy clock sync issue between your server and the app.

  • Check Event Viewer: If a user gets a vague "An error occurred" page, dive into Applications and Services Logs > AD FS > Admin. Look for "Audit Failure" events—they usually tell you exactly which claim is missing.
  • Clock Skew: In finance or retail environments with tight security, if your server time is off by even 5 minutes, the saml token is dead on arrival.
  • RelayState mess: For IdP-initiated sign-on, getting the url encoding wrong is a classic mistake. You can use the Microsoft RelayState Generator (or similar tools found in their docs) to generate a clean link that actually works.

Diagram 5

Honestly, just keep your metadata auto-update on and most of these headaches disappear. Stay sharp out there!

Pradeep Kumar
Pradeep Kumar

Cybersecurity Architect & Authentication Research Lead

 

Pradeep combines deep technical expertise with cutting-edge research in authentication technologies. With a Ph.D. in Cybersecurity from MIT and 15 years in the field, he bridges the gap between academic research and practical enterprise security implementations.

Related Articles

Cyber Storm III Media Fact Sheet
Cyber Storm III Media Fact Sheet

Cyber Storm III Media Fact Sheet

Explore the Cyber Storm III Media Fact Sheet and its impact on cybersecurity, enterprise software, and modern ai agent identity management strategies.

By Pradeep Kumar February 6, 2026 14 min read
common.read_full_article
CTI League
CTI League

CTI League

Explore how the CTI League's volunteer model for cybersecurity informs modern ai agent identity management and enterprise identity governance.

By Deepak Kumar February 6, 2026 5 min read
common.read_full_article
What is a cyber storm?
AI agent identity management

What is a cyber storm?

Explore the concept of a cyber storm in enterprise software. Learn how AI agent identity management and cybersecurity protocols prevent automated digital disasters.

By Deepak Kumar February 6, 2026 7 min read
common.read_full_article
The Cyber-Biosecurity Nexus: Key Risks and ...
AI agent identity management

The Cyber-Biosecurity Nexus: Key Risks and ...

Explore the risks at the cyber-biosecurity nexus. Learn how AI agent identity management and enterprise software protect biological data from cyber threats.

By Deepak Kumar February 6, 2026 8 min read
common.read_full_article