All .NET Identities now Derive From ClaimsIdentity

With .NET 4.5 a new base class for identities was introduced: the ClaimsIdentity class. The reason is that Windows Identity Foundation has been fully incorporated into the .NET framework and it has really improved the .NET identity model.

What is a Claim?

This might be a stupid question – but I’ve had a hard time to find a definition on what a claims identity is that feels natural. (It might be a language issue as I’m not a native English speaker and find the word claim somewhat hard to translate properly to Swedish).

I prefer to explain a claim as a piece of fact. A claims identity is a set of claims or facts, bundled together in an identity. Each claim is made up of a key and a value. An example identity for me could contain these claims:

Type Value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Anders
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Abel
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress anders@abel.nu

So far this is just a set of claims or facts. Being structured as a list of keys and values, it can contain pretty much whatever you want. In this case I’ve used the wellknown types for standard parameters, but you can define your own too. Thanks to the flexible structure, any kind of identity can be expressed as a claims identity. It is not only possible – it is used! The old identity classes have all been rewritten to inherit from the new ClaimsIdentity class.

The Authority

Producing a set of claims is easy – I can make up my own that claims I’m part of the super enterprise extra control administrators group. The make a security system complete there must be an issuer. In the case of a WindowsIdentity, the Windows Operating system authenticates the user and issues the identity. In the case of more complex federation scenarios there is a secure ticket service (STS) that issues the identity, in the form of a cryptographically signed set of claims.

Everything is now a ClaimsIdentity

The old WindowsIdentity class has been rewritten to inherit from ClaimsIdentity. Internally it overrides everything and relies on the old code, but still – it is a huge step towards a more general identity model to have everything behave as claims identities.

I used the following code snippet to output my current Windows identity a set of claims:

ClaimsIdentity identity = WindowsIdentity.GetCurrent();
 
foreach (var c in identity.Claims)
{
    Console.WriteLine("{0}: {1}\n", c.Type, c.Value);
}

It outputs my user name and the Windows Security IDs of my user and the groups I belong to, presented as claims.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: MYDOMAIN\MYUSER
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid: S-1-5-21-2456453529-233585608-1594492042-3571
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid: S-1-5-21-2456453529-233585608-1594492042-513
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-21-2456453529-233585608-1594492042-513
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-1-0
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-21-2859876727-1261456666-3238956704-1013
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid: S-1-5-32-544
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-32-545
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-4
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-2-1
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-11
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-15
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-2-0
... continued ...

Multiple Authentication Schemes

In a current project, I am about to implement multiple authentication methods into the same application. Having all those authentication methods produce compatible claims identities is a huge advantage. To allow another authentication scheme, the only thing needed is another authentication module that produces the claims identity.

Once inside the application, the authorization code only assumes that there is a claims identity and works against those claims. The authentication and authorization have effectively been decoupled and can be changed independently.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.