Lately I’ve been researching claims-based identity with WIF, so I thought I’d share.
Claims-based identity is the notion that rather than having your application manage its own local credential storage, such as encrypted credentials, hash entries, etc, you will instead rely on an external provider. If you’ve ever read into how OpenID works, that is claims-based identity in practice. Your application, or “Relying Party” (RP) will not store credential information, but will rather trust the word of what a Security Token Service (STS) says about a user. The advantages of such a system is that you have a potentially wider set of authenticated individuals to service, and the risk and cost of having a local credential storage is eliminated.
Here’s how it works.
A user wants to authenticate on FooWebsite, so he clicks “log in”. FooWebsite does not implement a local credential store, but rather trusts that a STS called BarAuthenticator will ensure the user is authentic, and therefor redirects the user to BarAuthenticator to authenticate. The user then inputs his credentials (whatever that means to BarAuthenticator; because FooWebsite does not care about the particular implementation). Assuming BarAuthenticator STS is satisfied with the credentials, it will emit a token to the authenticating party (the user), which is digitally signed to prevent tampering. Contained in that token is a set of key-value pairs, which are collectively referred to as claims. A claim can be anything; It can be the user’s name, a role, a birthday, whatever. The user is then redirected back to the RP, FooWebsite, where his token is then given. If the token is verified to have originated from the trusted STS, the claims are accepted as truth, and the user is authenticated/authorized in whichever manner that the RP deems appropriate for the given claims.
The “Issuer” is our STS (Security Token Service), and the “Application” is our RP (Relying Party).
So where does Windows Identity Foundation fit in to this? WIF is the framework for .NET that abstracts the various components of such a system, including standing up an STS (if need be), and the entire authentication system described above. There is a set of decent video tutorials on the particulars of WIF on Channel 9 here.