Introduction
This is the seventh post in a series about claims based identity management and the Windows Identity Foundation (WIF).
The first six were:
- Alice in Claims: decentralized identity
- Alice in Claims: the claims model
- Alice in Claims: protocols
- Alice in Claims: the anatomy of a token
- Alice in Claims: not only for federation
- Alice in Claims: Windows Identity Foundation
In this post, we describe WIF’s class model for claims based identities.
Claims Class Model
The old identity model
Since the beginning, the Microsoft .NET Base Class Library defined two interfaces for representing identities:
- The IIdentity interface, which aims tp represent an identity, is characterized by
- the IsAuthenticated boolean property,
- the Name string property, and
- the AuthenticationType string property, with a description of the authentication method used to verity the name.
- The IPrincipal interface represents the subject of an action, and it is characterized by
- The IsInRole(string) method that verifies if the subject possesses a given role.
- The Identity property that references an IIdentity.
In this model a subject is solely characterized by a role membership function and a name based identity. We will see below that the new claims based model extends this information with claims collections.
The concrete implementations of the IIdentity include: the GenericIdentity class, the WindowsIdentity class and the FormsIdentity class.
The IPrincipal interface is implemented by classes such as: the GenericPrincipal class, the WindowsPrincipal class and the RolePrincipal class.
Instances implementing the IPrincipal interface are exposed by properties and methods such as:
- the System.Threading.Thread.CurrentPrincipal property, and
- the System.Web.HttpContext.User property.
The new model
The WIF model builds upon the old model by defining two new interfaces, as shown in the following diagram:
- The IClaimsIdentity interface derives from IIdentity and adds several new properties. The most important is the Claims property that references a claim collection. In this way, a identity is now much more that a single string-based name.
- The Claim class represents individual claims, which are characterized by a value, an issuer name and a type (the ClaimTypes class defines a set of common claim types).
- Finally, the IClaimsPrincipal interface derives from IPrincipal and adds the new Identities property that references a collection of IClaimIdentity.
In its essence, the new model extends the old one by characterizing an identity not only by a name string but also by a claim collection, where a claim has a value, a type and an issuer.
When using WIF, instances of this new model are exposed in the same places as before, namely by property System.Web.HttpContext.User.
The new model also contains some methods and properties not address in this post, which are only relevant in delegation scenarios. This theme will be the subject of a future post.