13

I am new to claim based authentication. I have gone throught several aricles and could not able to figure out the exact use of claim based authentication. Here are some doubts I have about claim based authentication.

  1. I would like to know what is the difference and advantages of claim based over role based authentication.
  2. Can we connect to Sql Server 2008 R2 using claim based authentication instead of ADFS? If, so how?
  3. Advantage of using claim based authentication in WCF?

Can anyone provide me with some explanations, so that I can understand Claim based authentication and use with my application?

magnattic
  • 12,638
  • 13
  • 62
  • 115
Sujith S Nair
  • 738
  • 6
  • 20
  • 1
    In general, the answers to http://stackoverflow.com/q/6786887/223837 may be helpful. Note that a security token can include a claim "this user has role R", which an application can then use to do role-based _authorisation_. – MarnixKlooster ReinstateMonica Dec 27 '12 at 11:19

2 Answers2

8

In addition - claims have nothing to do with authentication.

There is no such thing as claims- or role-based authentication. It is about modeling identity in a way your application can work with.

Roles are also claims (with a fixed true/false value) - claims just give you more expressiveness with key/value pairs.

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
6

Ultimately the main benefits to using claims include:

  1. providing a consistent programming model for your services - you don't need to know how to implement a particular security mechanism, one site might use username and password authentication/authorisation, another Active Directory. You services don't care either way because all you are doing is processing the claims in all instances.

  2. You don't need to concern your self with the security implementation. This is done by a third party.

  3. you can customise claims to suit your domain, and treat them as an extension to your authorisation logic - standard security properties usually only provide you only with basic information such as roles. You can of course extend this but then your doing much more work and is often difficult to implement (eg. extending AD is often not so much a technical challenge but a policy constraint - admins are reluctant to modify the AD schema to accomodate a specifioc application).

  4. Interopable - because the claims [format] are based on standards they become much more interopable between services of different languages and domains as the underlying technology for the security is abstracted.

If you are creating new .NET 4.5 WCF Services you can already start using claims as the namespace is backwards compatible with earlier security implementations, so even if you did decide claims wasn't for you now, you would be in a better position to upgrade later.

There is much more to claims than I can write here and I'm sure there will be others with additionbal reasons why considering claims might be a good thing.

Hope this helps.

stephenl
  • 3,119
  • 4
  • 22
  • 22
  • hi stephenl , Thanks for your help. I have one doubt. Is it possible to connect to Sql Server 2008 R2 using claim based authentication instead of ADFS? Can you please tell about this a little more? – Sujith S Nair Dec 27 '12 at 08:46
  • ADFS2 will use pretty much any data source than manages authentication /authorisation (SQL Server, AD, XML...). A search on ADFS2 will provide more detail. Either way, implementing something like this requires a little planning and most probable will require your system administrators participation. – stephenl Dec 27 '12 at 09:12
  • @stephenl That is not entirely true: AD FS 2.0 _authenticates_ only against Active Directory (see http://stackoverflow.com/a/4938662/223837), but it can _create claims from_ lots of sources. – MarnixKlooster ReinstateMonica Dec 27 '12 at 11:07
  • @MarnixKlooster I was under the impression that if you had SQL Membership provider databases you could also use that, but if that isn't the case I stand corrected. I was only trying to illustrate that there can be multiple sources from which claims can be created. – stephenl Dec 27 '12 at 12:14
  • Thanks all for your response. I would like to know that if I can make STS without ADFS. ie, create STS with the help of sql server database without ADFS. Is this scenerio possible. If yes, please provide some guidelines. – Sujith S Nair Dec 28 '12 at 07:38
  • @sujith Have a look at this http://startersts.codeplex.com/ this should meet your requirements – stephenl Dec 29 '12 at 00:16