Monday, April 9, 2012

Claims Overview - Business Productivity and Information Architecture

Introduction

I these days claims become more and more popular, and I reckon that in few years all Microsoft products will support claims as out-ot-the-box (OOTB) functionality and would be build with claims foundation.

However, I?ve noted that claims are still not very well understood by many people and people are confused what the claims are. In this post I would like to describe in simple language what are the claims and how to use them with SharePoint.

Definitions

Claim

A statement that one subject makes about itself or another subject. For example, the statement can be about a name, identity, key, group, privilege, or capability. Claims provide a powerful abstraction for identity.

Token

When a digital identity is transferred across a network, it?s just a bunch of bytes. It?s common to refer to a set of bytes containing identity information as a security token or just a token. In a claims-based world, a token contains one or more claims, each of which carries some piece of information about the user it identifies

image

Claims can represent pretty much anything about a user. In this example, for instance, the first three claims in the token contain the user?s name, an identifier for a role she belongs to, and her age.

Provider/Issuer

Claims are issued by a provider, and they are given one or more values and then packaged in security tokens that are issued by an issuer; commonly known as a security token service (STS). For a full list of definitions of terms associated with claims-based see "Claims-Based Identity Term Definitions" at http://msdn.microsoft.com/en-us/library/ee534975.aspx.

image

STS can be owned by some identity provider (IdP)

An Identity Provider-STS (IP-STS) is a service that handles requests for trusted identity claims. An IP-STS uses a database called an identity store to store and manage identities and their associated attributes. The identity store for an identity provider may be a simple, such as a SQL database table. An IP-STS may also use a complex identity store, such as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Service (AD LDS).

Realm

Set of applications, URLs, domains, or sites for which a token is valid. Typically a realm is defined using an Internet domain such as "microsoft.com", or a path within that domain such as "microsoft.com/practices/guides". A realm is sometimes described as a "security domain" because it encompasses all applications within a specified security boundary

Identity Federation

Receive tokens that were generated outside of your own realm, and accept them if you trust the issuer. It allows users to sign on to applications in different realms without needing to enter realm-specific credentials. Users sign on once to access multiple applications in different realms.

clip_image002

Passive Federation

Is another name for ?Single Sign-on? in claims area.

Relying party application

Any client application that supports claims.

Claims Benefits

  • Decouple your applications from the details of identity - It's no longer the application's responsibility to authenticate users
  • Authentication flexibility
  • Single sign-on
  • No VPN access
  • Federating with other companies
  • Federating with non AD services

Claims Elements

Claim consist of the following elements:

  • Token
  • Claim
  • Provider/Issuer
    • SharePoint STS
    • ADFS
    • ACS
    • OID
    • etc.

ADFS Issuer

clip_image001[6]

Claims Protocols

That?s probably the area of the biggest confusion ? when people are talking about Claims they usually misunderstand that there are two different types of tokens are used with claims not all applications support both of them. You should be very clear about the protocol you are going to use.

Security tokens that are passed over the Internet typically take one of two forms:

  • Security Assertion Markup Language (SAML) tokens are XML-encoded structures that are embedded inside other structures such as HTTP form posts and SOAP messages.
  • Simple Web Token (SWT) tokens that are stored in the HTTP headers of a request or response (WS-Federation)

(An advantage of the SAML-P protocol over WS-Federation is that it supports initializing the authentication process from the IdP instead of the RP, which avoids the requirement for either the relying party (RP) or the FP to perform home realm discovery)

Claims-based Application Architecture

Model Name

Direct Hub Model

Direct Trust Model
?

clip_image001[11]

clip_image002[9]

Advantage
  • It's easier to manage multiple trust relationships in ADFS rather than SharePoint.
  • It's simpler to manage a single trust relationship in SharePoint and it avoids the requirement for multiple custom claims providers.
  • You can reuse the trust relationships in the FP with other relying parties.
  • You can leverage ADFS features such as integration with auditing tools to track token issuing.
  • ADFS supports the SAMLP protocol in addition to WS-Federation
  • ADFS issuer can extract LDAP attributes from AD
  • ADFS can add arbitrary SQL statements rules to extract data from custom SQL database.

Disadvantage
  • Requires user account in AD or trusted stories

Resources:

rhodes scholar cranberry sauce recipe mls cup amas 2011 black friday elliot elliot

Posted by at

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)