vb.net qr code generator free figure 1 Issuers, security tokens, and applications in VS .NET

Printer DataMatrix in VS .NET figure 1 Issuers, security tokens, and applications

Claims are like salt. Just a little bit avors the broth. The next chapter has more information on what makes a good claim.

A good issuer can make it easier to implement authorization and personalization in your applications.

Today, it s possible to purchase an issuer that provides user information, packaged as claims. If you have Windows Server 2008 R2 Enterprise Edition, you are automatically licensed to run Microsoft s issuer, Active Directory Federation Services (ADFS) 2.0. ADFS provides the logic to authenticate users in several ways, and you can customize each instance of your ADFS issuer to authenticate users with Kerberos, forms authentication, or certi cates. Alternatively, you can ask your ADFS issuer to accept a security token from an issuer in another realm as proof of authentication. This is known as identity federation and it s how you achieve single sign-on across realms. Figure 2 shows all the tasks that the issuer performs.

tions expect to receive claims about the user, but they don t care about which identity store those claims come from. These applications are loosely coupled to identity. This is one of the biggest bene ts of claims-based identity.

One option that claims-based applications give you is user anonymity. Remember that your application no longer directly authenticates the users; instead, it relies on an issuer to do that and to make claims about them. If user anonymity is a feature you want, simply don t ask for any claim that personally identi es the user. For example, maybe all you really need is a set of roles to authorize the user s actions, but you don t need to know the user s name. You can do that with claimsbased identity by only asking for role claims. Some issuers (such as ADFS) support the idea of private user identi ers, which allows you to get a unique, anonymous identi er for a user without any personal information (such as a name or e-mail address). Keep user anonymity in mind when you consider the power of claims-based identity.

You can also receive tokens that were generated outside of your own realm. This is known as federated identity.

There are some general set-up steps that every claims-based system requires. Understanding these steps will help you when you read about the claims-based architectures.

When you build a claims-based application, it needs to know how to validate the incoming security token and how to parse the claims that are inside. The Windows Identity Foundation (WIF) provides a common programming model for claims that can be used by both Windows Communication Foundation (WCF) and ASP.NET applications. If you already know how to use methods such as IsInRole and properties such as Identity.Name, you ll be happy to know that WIF simply adds one more property that is named Identity.Claims. It identi es the claims that were issued, who issued them, and what they contain. There s certainly more to learn more about WIF programming model, but for now just remember to reference the WIF assembly (Microsoft.IdentityModel.dll) from your ASP.NET applications and WCF services in order to use WIF s programming paradigm.

After the user is authenticated, the issuer creates claims about that user and issues a security token. ADFS has a rule engine that makes it easy to extract LDAP attributes from the user s record in Active Directory and its cousin, Lightweight Directory Services. ADFS also allows you to add rules that include arbitrary SQL statements so that you can extract user data out of your own custom SQL database. You can extend ADFS to add other stores. This is useful because, in many companies, a user s identity is often fragmented. ADFS hides this fragmentation. Your claims-based applications won t break if you decide to move data around between stores. Claims-based applica-