In the last couple of posts, I’ve written about the claims and security token concepts, and also about how WCF models them:
- What are claims?
- Claims and claims sets in WCF
- What are security tokens?
- Security tokens in WCF
- Authorization policies in WCF: from tokens to claim sets
- The ServiceAuthorizationManager class in WCF
In this post I will start writing about how these concepts are modeled in Zermatt:
The Microsoft Code Name “Zermatt” is a framework targeted for .Net developers to help them to build claims-aware applications to address today’s application security requirements using a simplified model that is open and extensible and can improve security
Disclaimer: my conclusions and remarks are based solely on public documentation and on observing the code of the beta release, so use them at your own risk.
A new claims model
Zermatt introduces a new class model for claims, implemented in the Microsoft.IdentityModel namespace and depicted in the following figure
The IClaimsIdentity interface, derived from the .NET framework’s IIdentity interface, represents a claims-based identity. It contains the Claims property, that references a collection of claims.
A claim is represented by the Claim class, namely by three properties:
- ClaimType (string) containing the claim’s type
- Value (string) with the claim’s value
- ValueType (string) with the claim’s value type
There are some differences in the representation of claims, when compared with the “older” System.IdentityModel model.
- In the new model, a claim value is always represented by a string. When this value is not a string but a more structured object, then this object must be serialized into a string. The ValueType property contains the type of the value represented by the string in Value. The ClaimValuesTypes class contains a set of constants with the most commonly used claim value types (strings).
The ClaimTypes class contains a set of constants with some used claim types (strings).
- There is no equivalent to the Right property.
- A claim also has the following two properties, of IClaimsIdentity type:
- The Subject property references the IClaimsIdentity partially defined by the claim.
- The Issuer property references the identity of the claim issuer
- There is no claim set concept. Namely, in the “new” model, each claims points to its issuer, that is modeled as a IClaimsIdentity.
The NameClaimType property of IClaimsPricipal is used to define the value of the Name property (inherited from IIdentity): this value is the value of the claim whose type equals NameClaimType.
The RoleClaimsType property has a similar goal: it defines the types of claims that define roles. This is used by classes implementing the IClaimPrincipal interface.
Finally, the IClaimsIdentity also possesses a Delegate property, of type IClaimsIdentity. This property is used in delegation scenarios, and will be described in a future post.
This new model also introduces the IClaimPrincipal as a specialization of the .NET framework’s IPrincipal interface. Namely, this new interface adds a Identities collection that references a set of IClaimIdentity.
Note that the base interface IPrincipal already had a Identity property. The new Identities property (plural) is need because a principal can be associated with several identities, e. g., on delegation scenarios.
The implementation of the IsInRole interface method should/can use the RoleClaimTypes property of the identities referenced by the Identities property.
The Zermatt’s claims model also contains an implementation of IClaimsPrincipal, called ClaimsPrincipal, with a static Current property – the IClaimsPrincipal associated with the current context.