A Guide to Claim-based Identity

Posted by Abel Avram on Oct 06, 2009

Sections

Development,

Architecture & Design

Topics

Security ,

.NET

Tags

Microsoft

Microsoft patterns&practices has created a new CodePlex project entitled Claims Based Identity & Access Control Guide to introduce users to claims-based identity and to present examples on how to write applications using this new type of authentication and authorization.

A trusted authority (Issuer) issues a signed security token containing a set claims (credentials) which is given to the application for validation. The application will authenticate the user if the security token is valid and signed by a trusted issuer.

Claims-based identity simplifies application development because applications using this type of authentication do not have to verify all the credentials presented by the user. Instead

Someone who determines your company's security policy can make those rules and buy or build the issuer. Your application simply receives the equivalent of a boarding pass. No matter what authentication protocol was used, Kerberos, SSL, forms authentication, or something more exotic, the application gets a signed set of claims that has information it needs about the user. This information is in a simple format that the application can use right away.

Letting the issuer to deal with all security issues involved eases the process of integration, migration, merger, federation or building cloud applications. Also, single sign-on (SSO) is easier to implement for the same reason. The guide presents how a fictive company has implemented SSO using claims offering its employees external access to its applications without having to create a VPN connection first.

While claims-based identity is a recommended approach to security, it is not necessarily appropriate for anybody to use. Active Directory may be good enough:

When you decide what kinds of claims to issue, ask yourself how hard is it to convince the IT department to extend the Active Directory schema. They have good reasons for staying with what they already have. If they're reluctant now, claims aren’t going to change that. Keep this in mind when you choose which attributes to use as claims.

The guide contains also the protocols to be used in a claims-based security architecture. The guide is still work in progress.

Microsoft has created a framework, called Geneva, providing “simplified user access and single sign-on, for on-premises and cloud-based applications in the enterprise, across organizations, and on the Web”.  Geneva has been renamed the Windows Identity Foundation and contains logic for building claims-aware ASP.NET or WCF applications. The Geneva Server is called Active Directory Federation Services now and “is a security token service (STS) for issuing and transforming claims, enabling federations, and managing user access”. The Geneva project is currently in Beta 2.

• Older >