Home > SharePoint > Claims


February 23, 2012 10:40 am Leave a comment Go to comments

Although claims-based identity has been possible for quite a while,
there are now tools available that make it much easier for developers
of Windows-based applications to implement it. These tools include
the Windows Identity Foundation (WIF) and Microsoft Active Directory
Federation Services (ADFS) 2.0.

relying party (rp) = application
service provider (sp) = application
A relying party or a service provider is an application that uses claims. The term relying party arose because the application relies on an issuer to provide information about identity. The term service provider is commonly used with the Security Assertion Markup Language

It uses application, or claims-aware application, when it is discussing the functionality of the application, and relying party or RP, when it is talking about the role of the application in relation to identity providers and federation providers. It does not use service
provider or SP.
subject = user
principal = user
A subject or a principal is a user. The term subject has been around for years in security literature, and it does make sense when you think about it—the user is the subject of access control, personalization, and so on. A subject can be a non-human entity, such as printer or another device, but this book doesn’t discuss such scenarios. In addition,
the .NET Framework uses the term principal rather than subject.

security token service (sts) = issuer
Technically, a security token service is the interface within an issuer that accepts requests and creates and issues security tokens containing claims.
identity provider (IdP) = issuer
An identity provider is an issuer, or a token issuer if you prefer. Identity providers validate various user credentials, such as user names, passwords, and certificates; and they issue tokens.
resource security token service (R-STS)= issuer
A resource security token service accepts one token and issues another. Rather than having information about identity, it has information about the resource. For example, an R-STS can translate tokens issued by an identity provider into application-specific claims.

active client = smart or rich client
passive client = browser
Much of the literature refers to active versus passive clients. An active client can use a sophisticated library such as Windows Communication Foundation (WCF) to implement the protocols that request and pass around security tokens (WS-Trust is the protocol used in active scenarios). In order to support many different browsers, the passive scenarios use a much simpler protocol to request and pass around tokens that rely on simple HTTP primitives such as HTTP GET (with redirects) and POST.


Windows Identity Foundation (WIF). WIF contains a set of components that enable developers using the Microsoft .NET Framework to externalize identity logic from their application, improving developer productivity, enhancing application security, and enabling
interoperability. Developers can apply the same tools and programming model to build on-premises software as well as cloud services without requiring custom implementations. WIF uses a single simplified identity model based on claims, together with interoperability
based on industry-standard protocols.

Active Directory Federation Service (ADFS). ADFS is a server role in Windows Server® that provides simplified access and single sign-on for on-premises and cloud-based applications in the enterprise, across organizations, and on the web. It acts as an identity provider
and token issuer to enable user access with native single sign-on across organizational boundaries and in the cloud, and to easily connect applications by utilizing industry-standard protocols.

Active Directory Federation Services

Active Directory Federation Services is a highly secure, highly extensible, and Internet-scalable identity access solution that allows organizations to authenticate users from partner organizations. Using AD FS in Windows Server 2008 R2, you can simply and very securely grant external users access to your organization’s domain resources. AD FS can also simplify integration between untrusted resources and domain resources within your own organization.


Secure Collaboration Across Organizational Boundaries
Active Directory Federation Services 2.0 supports claims-based access and single sign-on for cloud-based and on-premises applications. It does this in the enterprise, across organizations, and on the Web, all the while enhancing application security. It thereby helps reduce the total cost of ownership (including lowering IT costs by simplifying access management) and helps improve enterprise security. AD FS 2.0 also increases ease of use for both users and developers, helping to ensure greater compliance with policies and regulations.
The open architecture of AD FS 2.0 supports the Identity Metasystem. This shared industry vision defines a single identity model for the enterprise, federation, and consumer. The Identity Metasystem uses claims issued by security token services to help applications make user-access decisions regardless of the user’s location or the application’s architecture.
Streamlines user access
Delivers native single sign-on across organizations to applications both on premises and in the cloud. This enables use of one account and password to access diverse systems. Simple and effective trust setup and management features in AD FS 2.0 give partners secure access. This model not only helps improve user productivity, but also gives IT control of the interaction between applications, identity stores, and authentication methods across the enterprise and with partners.
Works on premises and in the cloud. With AD FS 2.0, identities can be used seamlessly between on-premises software and cloud services and with both browser and some rich-client applications.
Builds on existing infrastructure to make user access a configuration task for IT rather than a development task. AD FS 2.0 extends the use of Active Directory Domain Services and integrates easily with SharePoint® 2010 and Active Directory Rights Management Services.
ADFS 2.0 uses identity information in Active Directory or SQL Server® to provide access to resources. This information can be managed by Forefront® Identity Manager so that access rights are based on well-managed identities that are up to date and compliant.
AD FS 2.0 is also designed to be interoperable with non-Microsoft® infrastructure, thereby working in heterogeneous environments.
Provides simplified and flexible access management
Supports open standards and offers tested interoperability. AD FS 2.0 supports industry-standard protocols such as WS-* and SAML 2.0, enabling applications based on different programming models, languages, and devices to interoperate. AD FS 2.0 also simplifies access management through Web and application single sign-on, including multi-factor authentication.
Easily evolves to address changing access requirements. AD FS 2.0 implements the industry Identity Metasystem vision using claims-based architecture. Developers can use Windows Identity Foundation 1 to build claims-aware Windows® applications that decouple authentication and access management so they can adapt to changing access requirements with minimal changes to code or customization.
Offers development flexibility. With AD FS 2.0, developers can choose technologies based on functionality and business need. They can mix and match AD FS 2.0 with third-party claims-based Secure Token Systems, developer frameworks, and clients.
Enhances application security
Provides consistent security because AD FS 2.0 uses a common user-access model external to applications. Enables control over access decisions. AD FS 2.0 offers integrated support for common access methods such as Kerberos and x509, so IT pros can choose the strength of credentials based on the level of security they need.
Assigns identity management to the organization closest to the user. AD FS 2.0 enables the delegation of responsibility for access to support a federated identity model. Partner organizations can manage their own identities while securely sharing and accepting identities with each other. AD FS 2.0 allows service providers to meet customer requirements without the need to manage customer identities.

A claim is a statement that one subject makes about itself or another subject. The statement can be about a name, identity, key, group, privilege, or capability, for example. Claims are issued by a provider, and they are given one or more values and then packaged in security
tokens that are issued by an issuer, commonly known as a security token service (STS).

Categories: SharePoint Tags:
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: