What is claim?

What is Token?

A token is a set of bytes that expresses information abount an entity i.e. user:

  • The information consists of one or more claims
  • Each claim contains information about the entity

Identity tokens and claims

Claim based identity

A claims-based identity is the set of claims. A claim is a statement that an entity (a user or another application) makes about itself, it’s just a claim.

It relies on three main components:

  • Identity provider STSs (security token services)
  • Federation provider STSs (security token services)
  • Identity library

Components of claim based identity

Components of claim based identity

Microsoft identity technologies

Microsoft identity technologies overview

Identity provider

STS is commonly provided by an identity provider (or issuer)

Identity provider (or issuer):

  • It’s an authority that makes claims about user
  • Example identity providers :
    • Company’s network: employer
    • On the Internet: Facebook, Google, Microsoft, etc.

Security Token

A token is created by a security token service (STS).

Security token service (STS):

  • It’s software that issues tokens
  • Many token formats can be used. The SAML format is popular.

Getting token

Getting identity token from identity provider (or issuer)

Accepting and using token

The identity library accepts token (submitted by user) and then process it (validate, varify etc).

Accepting and using identity token

How Applications Can Use Claims

  • A claim can identify a user
  • A claim can convey group or role membership
  • A claim can grant or deny the right to do something. Such as access particular information or invoke specific methods
  • A claim can constrain the right to do something. Such as indicating the user’s purchasing limit

Multiple identity providers

Claim based approach makes it easier to use multiple identify providers:

  • Token (submitted by user to the application) contains the information about the token provider/issuer
  • The identity library (used by the application) can use that provider/issuer information and query the provider (i.e. Azure Active Directory, Facebook, Google etc.) to varify claims submitted by the user
  • The application maintains a list of trusted provider/issuer

Using Multiple identity providers

Identity federation

Identity federation allows user from one organization to access resources of other organization mentioned that both organizations belongs to same group/corporation.

Federation: the action of forming states or organizations into a single group with centralized control.

Illustrating Identity federation

  • Application submits Identity token to federation provider
  • Federation provider (FP) transforms identity token to federation token and sends to user
  • user now submits federation token to apllication
  • Application (identity library) interacts with federation provider to verify FP token

Claims Transformation

Accessing enterprise application

Accessing enterprise application: on-premises

Accessing enterprise application - on premises

Accessing enterprise application: via internet

Accessing enterprise application - via internet

Accessing enterprise application: in cloud

Accessing enterprise application - in cloud

Single sign on

Single sign on = SSO

Single sign on

Azure active directory as identity provider

Azure active directory as identity provider

Azure active directory as federation provider

Azure active directory as federation provider

Azure AD Access Control as federation provider

Azure AD access control as federation provider

Thrid party identity provider

Allowing login with Thrid party identity provider