Author : HASSAN MD TAREQ
What is claim?
- The official definition from the spec is a “piece of information asserted about an Entity.”
- A claim is a statement that one subject makes about itself or another subject
- The statement can be about a name, identity, key, group, privilege, or capability
- for example. Claims are issued by a provider, and they are given one or more values and then packaged in security tokens that are issued by an issuer, commonly known as a security token service (STS)
- Think about claims the same way you think about attributes in a central repository such as Active Directory, over which you have little control
- Consider claim as name-value pair
- Claims provide a powerful abstraction for identit
- Claims Simplify Authentication Logic
- Trust is explicit in the claims-based approach
- Security tokens can contain claims such as the user’s name, email address, manager’s email address, groups, roles, and so on
What is Token?
A token is a set of bytes that expresses information abount an entity i.e. user:
- The information consists of one or more claims
- Each claim contains information about the entity
Claim based identity
A claims-based identity is the set of claims. A claim is a statement that an entity (a user or another application) makes about itself, it’s just a claim.
It relies on three main components:
- Identity provider STSs (security token services)
- Federation provider STSs (security token services)
- Identity library
Components of claim based identity
Microsoft identity technologies
STS is commonly provided by an identity provider (or issuer)
Identity provider (or issuer):
- It’s an authority that makes claims about user
- Example identity providers :
- Company’s network: employer
- On the Internet: Facebook, Google, Microsoft, etc.
A token is created by a security token service (STS).
Security token service (STS):
- It’s software that issues tokens
- Many token formats can be used. The SAML format is popular.
Accepting and using token
The identity library accepts token (submitted by user) and then process it (validate, varify etc).
How Applications Can Use Claims
- A claim can identify a user
- A claim can convey group or role membership
- A claim can grant or deny the right to do something. Such as access particular information or invoke specific methods
- A claim can constrain the right to do something. Such as indicating the user’s purchasing limit
Multiple identity providers
Claim based approach makes it easier to use multiple identify providers:
- Token (submitted by user to the application) contains the information about the token provider/issuer
- The identity library (used by the application) can use that provider/issuer information and query the provider (i.e. Azure Active Directory, Facebook, Google etc.) to varify claims submitted by the user
- The application maintains a list of trusted provider/issuer
Identity federation allows user from one organization to access resources of other organization mentioned that both organizations belongs to same group/corporation.
Federation: the action of forming states or organizations into a single group with centralized control.
- Application submits Identity token to federation provider
- Federation provider (FP) transforms identity token to federation token and sends to user
- user now submits federation token to apllication
- Application (identity library) interacts with federation provider to verify FP token
Accessing enterprise application
Accessing enterprise application: on-premises
Accessing enterprise application: via internet
Accessing enterprise application: in cloud
Single sign on
Single sign on = SSO
Azure active directory as identity provider
Azure active directory as federation provider
Azure AD Access Control as federation provider
Thrid party identity provider