Thursday, November 11, 2010

Claims based authentication

For the last 9 months I’ve hearing a lot about Claims based authentication, however all I’ve read about it is pretty much close to the specifications and there are not much clarification and notes. I don’t think I still understand the nuts and bolts of the overall process but at least defining the next couple of concepts have made a difference in how I grasp the idea behind claims based authentication.

First and foremost, what is a claim? A Claim is nothing else that a piece of information about the identity of a person. You can think of it as properties of an individual, like Age, Name, Date of Birth, A Role or Permission, etc. Claim is just a generic name for data associated to a person.

When you think about it, this idea could be generalized to be used for more than persons. That’s why “subject” is used as the standard terminology. Persons are the most used “subjects” worldwide but this leaves room to apply this architecture in more complex scenarios.

So, redefining Claims: Claims are individual pieces of identity information about a Subject. Now that we know what is a Claim, let see how to use it.

Not only the identity information pertinent to a person has been standardized but also the process or application which generates that information. That algorithm could be embedded inside our application, but that would make difficult for another application to make use of it. So, the component for authenticating users is better to be an independent, isolated one; it could be even a third party in the cloud. The agreed name of that kind of application is “Issuer”.

We have defined the three main and more basic concepts behind Claims based authentication: Claims, Subject and Issuer.

The identity of a Subject is compose by a set of Claims issued and signed by the Issuer to create security tokens.

With this in mind there are lot of documentation that could be explored. Microsoft Identity Framework is an SDK that could be downloaded to work with Claims based authentication. I also recommend reading Michele Bustamante authentication series ( and this reference: