A common question asked is if every system needs claims. The answer is that no because many of them have several forms of internal applications that they host. There is a Windows verified system in place that allows the Active Directory to store the identity of the users. Kerberos is part of the Windows system so the application won’t have need to authenticate it. Every application that is part of the Windows authentication will already have the identity of the different users in it.
There are times when you may need to go beyond that Windows authentication though. For example you may be operating an application that users need to access but they don’t have any account that is part of that Windows storage file. Your business may have joined forces with another and there are some kinks to work out. One of them may be the fact that the two Windows interfaces don’t have a trust relationship that is in place.
You may decide you would like to share identity with a business that doesn’t have a .NET framework application in place for you to easily share identities back and forth within those different platforms. Of course there are many other scenarios where you may find that claims based identity really is the best method for you to be using so you can avoid such problems.
Before we cover how to use claims, it is important to discuss what they able to do for us. To really understand it though you need to have a good idea of the authentication process. You may be only thinking of one way for that to be done, but there are many of them. For example you may be using a Windows authentication so you assume it is only accessible in Windows. That is a common misconception though.
The same is true if you are covering the concept of ASP.NET when it has both memberships and a role as a provider. That is why we often think about passwords and usernames along these lines. There are plenty of common things out there about the different authentication systems to explore. One to pay attention to is the fact that there is a general issuing of claims that occurs with an issuer or an authority.
Yet it is the very issue of those claims and issuers that can be supported in a variety of ways. This is how the applications are going to vary in the ways that a user gains access to them. There has to be that trust in place for claims before the application can be accessed. Trust is a vital part of the claims based approach being in place. It is also done in a way that most people aren’t yet familiar with.
Using claims, you can successfully implement a role based control, commonly referred to as RBAC. It is important to understand that roles are claims but there is more information in them than when you are talking about roles by themselves. It is possible to send claims in a secured token that can even be encrypted. They are also going to be delivered via a issuer that you have trust in.
Identity is key to recognizing a user before they are allowed to access an application. Claims provides this method of recognizing who a user is. With the claims based approach as a model, it is very easy to sign in with the Kerberos in place. It is also easy to use various other forms of authentication though as many of them are deemed as being user friendly.
There is no need to change the coding or to configure the applications again. You will have the ability to support any type of authentication technique but most people use Kerberos as it is the most popular. However, you may want to look into the use of smart cards and X 509 certifications in order to expand your knowledge in this department.
We are going to discuss the various concepts that have to do with claims including federated identity. If they are new terms to you don’t worry because we are going to cover the ins and outs of them. They have both been around for quite some time and the mechanics of them are involved with claims based approaches. If you have heard of Kerberos before, this is a very similar concept. Kerberos is well known as an authentication protocol and it is used by Active Directory.
Both WS-Federation and the SAML (Security Assertion Markup Language) are federation protocols that have been used for years. They are actually part of various systems out there that are used in all of the major platforms a business may have access to today. The idea of claims based identity isn’t new as it has been around for almost 10 years now.
I’m calling this one my “Basics Of Claims” series.
I got some more claims based stuff coming out soon too!