Claims-based Identity Terminology

Posted by kaleidoscope on Geeks with Blogs See other posts from Geeks with Blogs or by kaleidoscope
Published on Mon, 22 Mar 2010 03:22:18 GMT Indexed on 2010/03/22 4:41 UTC
Read the original article Hit count: 673

Filed under:

There are several terms commonly used to describe claims-based identity, and it is important to clearly define these terms.

· Identity

In terms of Access Control, the term identity will be used to refer to a set of claims made by a trusted issuer about the user.

· Claim

You can think of a claim as a bit of identity information, such as name, email address, age, and so on. The more claims your service receives, the more you’ll know about the user who is making the request.

· Security Token

The user delivers a set of claims to your service piggybacked along with his or her request. In a REST Web service, these claims are carried in the Authorization header of the HTTP(S) request. Regardless of how they arrive, claims must somehow be serialized, and this is managed by security tokens.

A security token is a serialized set of claims that is signed by the issuing authority.

· Issuing Authority & Identity Provider

An issuing authority has two main features.

The first and most obvious is that it issues security tokens.

The second feature is the logic that determines which claims to issue.

This is based on the user’s identity, the resource to which the request applies, and possibly other contextual data such as time of day. This type of logic is often referred to as policy[1].

There are many issuing authorities, including Windows Live ID, ADFS, PingFederate from Ping Identity (a product that exposes user identities from the Java world), Facebook Connect, and more.

Their job is to validate some credential from the user and issue a token with an identifier for the user's account and  possibly other identity attributes. These types of authorities are called identity providers (sometimes shortened as IdP). It’s ultimately their responsibility to answer the question, “who are you?” and ensure that the user knows his or her password, is in possession of a smart card, knows the PIN code, has a matching retinal scan, and so on.

· Security Token Service (STS)

A security token service (STS) is a technical term for the Web interface in an issuing authority that allows clients to request and receive a security token according to interoperable protocols that are discussed in the following section. This term comes from the WS-Trust standard, and is often used in the literature to refer to an issuing authority.

STS when used from developer point of view indicates the URL to use to request a token from an issuer.

For more details please refer to the link http://www.microsoft.com/windowsazure/developers/dotnetservices/

Geeta, G

© Geeks with Blogs or respective owner