What are claims?

The use of classical identity based access control models, on which authorization decisions are based on the requestor unique identifier, is not adequate for large scale decentralized systems, such as the World-Wide Web. Several aspects contribute to this inadequacy, namely:

  • Access control policy -When an access request crosses security domains, the identifier of the requestor on its domains may not have any meaning on the resource’s domain.
  • Privacy – The requester might not want to reveal its unique identifier outside of its security domain

A solution is to base the access control policy on “characteristics” of the requestor that make sense for the authorization decision. The Identity Metasystem extends the notion of identity to incorporate this, proposing the concept of a claims-based identity:

In the Metasystem, digital identities consist of sets of claims made about the subject of the identity, where “claims” are pieces of information about the subject that the issuer asserts are valid. This parallels identities used in the real world. For example, the claims on a driver’s license might include the issuing state, the driver’s license number, name, address, sex, birth date, organ donor status, signature, and photograph, the types of vehicles the subject is eligible to drive, and restrictions on driving rights

Unfortunately, there isn’t a formal definition of claim. Instead there are several more or less vague definitions:

One way to better understand the claims concept and its applications is to see how:

  • Claims are communicated and attached to requests and messages, using security tokens.
  • Claims are required by services and applications, using policies.
  • Claims are used in authorization decisions.

This will be the subject of future posts.

2 thoughts on “What are claims?

  1. Pingback: Claims and claims sets in WCF « Pedro Félix’s shared memory

  2. Pingback: Zermatt’s claims model « Pedro Félix’s shared memory

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s