Imagine a world where you don't have to worry about authentication. Imagine instead that all requests to your application already include the information you need to make access control decisions and to personalize the application for the user.
In this world, your applications can trust another system component to securely provide user information, such as the user's name or e-mail address, a manager's e-mail address, or even a purchasing authorization limit. The user's information always arrives in the same simple format, regardless of the authentication mechanism, whether it's Microsoft® Windows® integrated authentication, forms-based authentication in a Web browser, an X.509 client certificate, or something more exotic. Even if someone in charge of your company's security policy changes how users authenticate, you still get the information, and it's always in the same format.
This is the utopia of claims-based identity that A Guide to Claims-Based Identity and Access Control describes. As you'll see, claims provide an innovative approach for building applications that authenticate and authorize users.
This book gives you enough information to evaluate claims-based identity as a possible option when you're planning a new application or making changes to an existing one. It is intended for any architect, developer, or information technology (IT) professional who designs, builds, or operates Web applications and services that require identity information about their users.
Although claims-based identity has been possible for quite a while, there are now tools available that make it much easier for developers of Windows-based applications to implement it. These tools include the Windows Identity Foundation (WIF) and Microsoft Active Directory® Federation Services (ADFS) v2. This book shows you when and how to use these tools in the context of some commonly occurring scenarios.
"An Introduction to Claims" explains what a claim is and gives general rules on what makes a good claim and how to incorporate them in your application. It's probably a good idea that you read this chapter before you go on to the scenarios.
"Claims-Based Architectures" shows you how to use claims with browser-based applications and smart client–based applications. In particular, the chapter focuses on how to implement single sign-on for your users, whether they are on an intranet or an extranet. This chapter is optional. You don't need to read it before you go on to the scenarios.
"Claims-Based Single Sign-On for the Web" shows you how to implement single-sign on within a corporate intranet. Although this may be something that you can also implement with Windows integrated authentication, it is the first stop on the way to implementing more complex scenarios. It includes a section for Windows Azure™ that shows you how to move the claims-based application to the cloud.
"Federated Identity for Web Applications" shows you how you can give your business partners access to your applications while maintaining the integrity of your corporate directory and theirs. In other words, your partners' employees can use their corporate credentials to gain access to your applications.
"Federated Identity for Web Services" shows you how to use the claims-based approach with Web services, where a partner uses a smart client rather than a browser.
"Federated Identity with Multiple Partners" is a variation of the previous scenario that shows you how to federate with partners who have no issuer of their own as well as those who do. It demonstrates how to use the ASP.NET MVC framework to create a claims-aware application.
Although applications that use claims-based identity exist on many platforms, this book is written for people who work with Windows-based systems. You should be familiar with the Microsoft .NET Framework, ASP.NET, Windows Communication Foundation (WCF), and Microsoft Visual C#®.
You can either run the samples that illustrate the scenarios in the guide on your own system or you can create a realistic lab environment. Running the scenarios on your own system is very simple and has only a few requirements. These are the system requirements for running the scenarios on your system:
- Microsoft Windows Vista SP1, Windows 7, or Microsoft Windows Server 2008 (32-bit or 64-bit)
- Microsoft Internet Information Services (IIS) 7.0
- Microsoft .NET Framework 3.5 SP1
- Windows Identity Foundation
- Microsoft Visual Studio® 2008 SP1
- Two samples require additionally:
- Windows Azure Tools for Microsoft Visual Studio
- ASP.NET MVC 1.0
This guide, like many patterns & practices deliverables, is associated with a community site. On this community site, you can post questions, provide feedback, or connect with other users for sharing ideas. Community members can also help Microsoft plan and test future guides, and download additional content such as extensions and training material.
Additional content and plans will be published to the community site.
Feedback and Support
Questions? Comments? Suggestions? To provide feedback about this guide, or to get help with any problems, please visit the Community site. The message board on the community site is the preferred feedback and support channel because it allows you to share your ideas, questions, and solutions with the entire community. A Guide to Claims-based Identity and Access Control is a guidance offering, designed to be reused, customized, and extended. It is not a Microsoft product. Code-based guidance is shipped "as is" and without warranties. Customers can obtain support through Microsoft Support Services for a fee, but the code is considered user-written by Microsoft support staff.
Authors and Contributors
This guide was produced by the following individuals:
- Program and Product Management: Eugenio Pace
- Subject Matter Experts: Dominick Baier, Vittorio Bertocci, Keith Brown, and Matias Woloski
- Development: Federico Boerr, Diego Marcet, Erwin van der Valk and Matias Woloski
- Test team: Carlos Farre and Anant Manuj Mittal
- Edit team: RoAnn Corbisier, Colin Campbell (Modeled Computation LLC), Roberta Leibovitz (Modeled Computation LLC), and Tina Burden
- Book design and illustrations: John Hubbard (eson), Ellen Forney and Veronica Ruiz
- Release Management: Richard Burte
We want to thank the customers, partners, and community members who have patiently reviewed our early content and drafts. Among those, we want to highlight the exceptional contributions of Zulfiqar Ahmed, Michele Leroux Bustamante (IDesign), Pablo Mariano Cibraro (Tellago Inc), Hernan DeLahitte (DigitFactory), Pedro Felix, Tim Fischer (Microsoft Germany), Mario Fontana, David Hill, Doug Hiller, Jason Hogg, Ezequiel Jadib (Southworks), Brad Jonas, Seshadri Mani, Marcelo Mas, Vijayavani Nori, Krish Shenoy, Travis Spencer (www.travisspencer.com), Mario Szpuszta (Sr. Architect Advisor, Microsoft Austria), Chris Tavares, Peter M. Thompson, and Todd West.
Finally, we want to thank Stuart Kwan and Conrad Bayer from the Identity Division at Microsoft for their support throughout.