Tag Archives: openid

Claims-Based Identity and WIF

Leave a reply

Lately I’ve been researching claims-based identity with WIF, so I thought I’d share.

Claims-based identity is the notion that rather than having your application manage its own local credential storage, such as encrypted credentials, hash entries, etc, you will instead rely on an external provider. If you’ve ever read into how OpenID works, that is claims-based identity in practice. Your application, or “Relying Party” (RP) will not store credential information, but will rather trust the word of what a Security Token Service (STS) says about a user. The advantages of such a system is that you have a potentially wider set of authenticated individuals to service, and the risk and cost of having a local credential storage is eliminated.

Here’s how it works.

A user wants to authenticate on FooWebsite, so he clicks “log in”. FooWebsite does not implement a local credential store, but rather trusts that a STS called BarAuthenticator will ensure the user is authentic, and therefor redirects the user to BarAuthenticator to authenticate. The user then inputs his credentials (whatever that means to BarAuthenticator; because FooWebsite does not care about the particular implementation). Assuming BarAuthenticator STS is satisfied with the credentials, it will emit a token to the authenticating party (the user), which is digitally signed to prevent tampering. Contained in that token is a set of key-value pairs, which are collectively referred to as claims. A claim can be anything; It can be the user’s name, a role, a birthday, whatever. The user is then redirected back to the RP, FooWebsite, where his token is then given. If the token is verified to have originated from the trusted STS, the claims are accepted as truth, and the user is authenticated/authorized in whichever manner that the RP deems appropriate for the given claims.

The “Issuer” is our STS (Security Token Service), and the “Application” is our RP (Relying Party).

So where does Windows Identity Foundation fit in to this? WIF is the framework for .NET that abstracts the various components of such a system, including standing up an STS (if need be), and the entire authentication system described above. There is a set of decent video tutorials on the particulars of WIF on Channel 9 here.

OpenID Vocabulary

Leave a reply

Most programmers have heard of OpenID, and have seen it implemented usefully at many internet sites, but unless you have to implement it yourself, you probably don’t care much about its internal workings. For the project I’m working on, I decided that the notion of authentication and user storage is a solved problem, so I opted to defer that responsibility to others. OpenID was the natural choice, so I set out to learn more about it. I could have just gone with a 3rd party library, but abstractions are leaky, and its important to understand them. I’ll share the vocabulary I’ve become familiar with here:

  • Identifier – This is the central idea behind OpenID; The URL that identifies a user.
  • Provider – The authenticating site who verifies that someone is who they say they are.
  • Relying Party – A site that depends on a Provider to verify a persons authenticity.

There are other terms but those are the important ones.