How are claims represented in WCF?
The WCF platform adopts this view and provides a claims-based authentication model, mostly defined in the System.IdentityModel.dll assembly, introduced with .NET 3.0.
In both the Identity Metasystem and the WS-* specifications, the claim concept is kept rather abstract.
The model defined by the System.IdentityModel assembly concretizes this concept through a class model presented in the next figure
A claim, represented by the Claim class, is defined as:
A claim is the expression of a right with respect to a particular value. A right could be read, write, or possess. A value could be a database, a file, a mailbox, or a property. Claims also have a claim type
The main properties of this class are
- ClaimType, defining the type of the claim. For examples of claim types, see the ClaimTypes class.
- Resource, defining the value of the claim.
- Right, defining the right associated with the claim.
At first, I found this new definition hard to grasp and not completely in synch with the definition in the Identity Metasystem. However, in practice, the only used rights are:
- PossessProperty – “specifies that the right represents a property that the entity associated with a claim possesses“, that is, the claim represents a property.
- Identity – “specifies that the right represents an identity“. This right defines a property that uniquely identifies an entity.
What are claim sets?
Claims are grouped in claim sets, represented by the ClaimSet class. All the claims in a claim set must have the same issuer, which is recursively represented by a claim set (see the Issuer property of the ClaimSet class). This shouldn’t be a surprise, since in this model all identities are represented by claim sets.
How are claim sets accessible?
These claim sets are computed based on the security tokens attached to messages and also on external policies. The details of this process will be the subject of future posts.