Alice in Claims: not only for federation


This is the fifth post in a series about claims based identity management and the Windows Identity Foundation (WIF).

The first four were:

In this post, we show that the claims based model is useful in scenarios other than federation.

A scenario

Considerer the scenario presented in the following figure, where webapp1 and webapp2 are intranet web applications, deployed inside a windows domain and using windows based authentication.


In such a scenario, identity management is rather simple:

  • The user identity is managed by Active Directory (AD), namely domain group membership.
  • This user identity information is seamlessly made available to the web apps, using the integrated support for windows authentication available in ASP.NET.

However, consider the augmented scenario depicted in the next figure, where access must also be available from outside the windows domains, using password based or certificate based user authentication. Note that, for security reasons, the used passwords may be different from the ones used in the domain.

Since integrated windows authentication is not readily available in this scenario, each web app must deal with the identity management issues, namely authentication and group membership. This may imply the creation of credential and identity stores in each web app.NotOnlyForFederation2

In such a scenario, the usage of a claims based model, as showed next, solves this problems.NotOnlyForFederation3

  • Users are initially authenticated by the Identity Provider (IdP), releasing the web apps from this burden. This also simplifies the introduction of new authentication mechanisms, because the web apps are not impacted by these changes.
  • The web apps consume the claims (e.g. group membership, roles, authorizations) issued by the IdP. The claim issuance process can use other sources of information other than active directory, namely for storing user attributes that do not fit in AD’s schema.
  • Any change to the user’s identity (e.g. role change) is readily made available to all the internal web apps.

The advantages obtained from the use of a claims based model and an IdP are similar to the use of integrated windows authentication, but with the added benefits:

  • Authentication is not limited to windows mechanisms.
  • User identity attributes are not limited to the ones stored in the AD. Namely, the claims issuance process may also include the evaluation of authorization policies, releasing the web apps from this task.
  • By using commonly used specifications, it is easier to integrate application not based on Windows technologies.

Finally, the use of claims based model and an internal IdP paves the way to future federation scenarios where

  • Partners must access the web apps, or
  • Domain users must access external apps, namely cloud based apps.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s