Using 'System.Identity.Model.Claims' for Authorization and Authentication

Question

I want to add authentication and authorization to my application. I do not want to use Active Directory for this. Should I use System.IdentityModel.Claims to do this? Will using System.IdentityModel.Claims make it easier to implement authentication and authorization and why/why not?

Answer 1

You might consider looking at the Microsoft Geneva framework for Claims-Based Authentication and authorization. http://www.microsoft.com/geneva

Implementing Claims based security will definitely make things easier on you.

Claims-based security has the following advantages over role-based and access control lists (ACLs):

• Single programming model, no matter the authentication scheme used
• Claims flow across services in a SOA environment easier and in a more standards-compliant way
• More flexible (you may see that a role is really just another type of claim)
• No need to reauthenticate when crossing process boundaries

Hope this helps.

Answer 2

Well what do you want to use? A database? What do you believe claims based authentication will give you?

Claims based authentication makes life easier if you want to flow identity through multiple systems such as a middle tier and onto a compatible back end without having to mess with impersonation and delegation.It's also partially for federation - allowing other people's systems to perform the authentication and for you to then authorise access to your application based on the identity information sent by those systems.

But if all you want to do is avoid using AD and instead use usernames and passwords sourced from a database then membership providers are an easier option which enable role and user based authorization checks for WCF and ASP.NET.