It is vital to be able to uniquely identity each user. This can prove to be very tricky at times because people don’t have that automatically as a part of them. A large portion of people are also very skeptical about anything that could affect their level of privacy. When you toss claims into the miss it can be something that takes time to determine how to do it right.
Keep in mind that not all applications out there really need to know specifically who a user is. All that is required is that something is used to keep the use of the application separated by user. You can even use a shopping cart to do this but even that is over the top for many applications out there today. For those that do have a per user requirement though that they track, you will definitely need to have some unique way of identifying every single user.
With traditional types of applications, there is a sign in name that is used to tell them from each other. When you have claims based applications in place though you will need to select what claims will be used to uniquely identify them. Then you will need to have the issuer set things up to give you the same values for them every single time that a user tries to access a given application.
It is a good idea to ask the issuer what claims they are set up to use for identifying users. When you use cross realm federation though you have to keep in mind that there is going to be more than one issuer involved. Each issuer does have it’s own URL that identifies it though. This can be used help with the process.
You will also find that all email addresses have some properties in them that are unique. This is why they are very good identifiers for claims. It is important that you realize you won’t have information about all of the users and claims out there for your application. When you go with cross realms you waiver that right of control in order to not have so much responsibility for your application.
Users are going to come and go using the token that they got from an issuer that you trust. With that token you will have information about who they are as well as what they have access to. Remember you don’t have to change your coding in order to support new users regardless of what realm they come from.
The issuer should be involved with the authorization decisions though. They shouldn’t be issuing tokens to any users that don’t have the credentials to access your application. Make sure everything is automated so that you don’t have to set up anything extra within your application. With a claims based application, you can give up lots of responsibility for the application. However, you do want to make sure you place that responsibility into the hands of a qualified issuer.