Claims-based Authentication: Are strings the essence of claims?

Question

I've been programming with claims-based authentication for some time now with Windows Identity Foundation.

It appears to me that in Windows Identity Foundation, once a user is logged in, the claims are basically strings of information that describe the user.

With the old role-based authentication, I could say that a user is or is not a member of a given group, but with claims-based authentication, I can now have strings of information that describe a user. "This user is female". This user was born on "July 6, 1975". "This user logged in using a USB key".

Is it the essence of claims-based authentication,that I have strings of information about the user given to the application by the framework?

Answer 1

Claims are attributes about the subject interacting with your application, and can be anything. All the examples you gave are essentially correct.

That's why you can use claims for more than just driving authorization rules. They could also represent user profile information for example. And a role membership is just another attribute (that is mostly used for access control).

Couple observations:

• One subtle, but very important difference is that claims are issued by a trusted, authoritative entity (the STS). The origin of a claim is as important as the claim itself. To use a simple example: if I send you a token issued by Microsoft's STS with a claim "Title=Program Manager", you would probably have high certainty that I am a PM working for Microsoft. In other words, there's a correlation between the fidelity of the attributes you get and the level of trust you put on the issuer.
• In WIF claims values are implemented as "strings" (as in a .NET type), but they could be any (serializable) object. For simple things like roles, groups, names, etc. you just use the value. For other more complex types you will need some kind of deserialization.