Monday, June 17, 2013

Ruminating on Claims based Identity

Most folks still stick with RBAC (Role Based Access Control) mechanisms for enabling security in their applications. A Claims based Identity solution is more comprehensive than RBAC and offers much more flexibility in implementing security.

In RBAC, typically the onus of authenticating users and checking permissions lies on the application itself. In Claims based solutions, the security constraints of the application are decoupled from the application business logic. The application receives a security token from a STS (Security Token Service) it trusts and thus does not have to worry about authenticating the user or extracting  security related info regarding the user. All the required information is available in the STS security token as a set of claims.

Thus a Claims based Identity solution decouples of application from the complexities of authentication and authorization. Thus the application is isolated from any changes to the security policies that need to be applied.

The following articles are of great help to any newbie in understanding the fundamentals of Claim based Identity solutions.

A Guide to Claims Based Identity - An excellent guide to understand some fundamental concepts around tokens, claims and STS.

Microsoft Windows Identity Foundation (WIF) Whitepaper for Developers - A very good article around WIF basics and also includes sample code to extend IPrinciple objects and intercept security token processing.

Claims Based Architectures - One of the best online articles that explains how Web SSO and thick client SSO can be implemented using Claims.