Claims-based identity

Claims-based identity

Claims-based identity is a common way for applications to acquire the identity information they need about users inside their organization, in other organizations, and on the Internet.[1] It also provides a consistent approach for applications running on-premises or in the cloud.

The key strength of claims-based identity is that it abstracts the individual elements of identity and access control into two parts; a single, general notion of claims and the concept of an issuer or an authority.[2]

A claim is a statement that one subject, such as a person or organization, makes about itself or another subject. For example the statement can be about a name, group, buying preference, ethnicity, privilege, association or capability. The subject making the claim or claims is the provider. Claims are packaged into one or more tokens that are then issued by an issuer, commonly known as a security token service (STS).[2]

Contents

Benefits

Claims-based identity has the potential to simplify authentication logic for individual software applications, because those applications don't have to provide mechanisms for account creation, password creation, reset, and so on. Furthermore, claims-based identity enables applications to know certain things about the user, without having to interrogate the user to determine those facts. The facts come with the claim.

Claims-based identity can greatly simplify the authentication process for the user because he or she doesn't have to sign in multiple times to multiple applications. A single sign in creates the token which is then used to authenticate against multiple applications, or web sites. As well, because certain facts (claims) are packaged with the token, the user does not have to tell each individual application those facts repeatedly, for instance by answering similar questions or completing similar forms.

Identity and claims

The name "claims-based identity" can be confusing at first because it seems like a misnomer. Attaching the concept of claims to the concept of identity appears to be combining authentication (determination of identity) with authorization (what the identified subject may and may not do). However a closer examination reveals that this is not the case. Claims are not what the subject can and cannot do. They are what the subject is or is not. It is up to the application receiving the incoming claim to map the is/is not claims to the may/may not rules of the application. In traditional systems there is often confusion about the differences and similarities between what a user is/is not and what the user may/may not do. Claims-based identity makes that distinction clear.

Security token service

Once the distinction between what the user is/is not and what the user may/may not do is clarified, it becomes apparent that the authentication of what the user is/is not (the claims) are often better handled by a third party than by any individual application. This third party is called the security token service. To better understand the concept of security token service, consider the analogy of a night club with a doorman. The doorman wants to prevent under-age patrons from entry. To facilitate this he requests a patron to present a driver's license, health insurance card or other identification (the token) that has been issued by a trusted third party (the security token service) such as the provincial or state vehicle license department, health department or insurance company. The nightclub is thus alleviated of the responsibility of determining the patron's age. It only has to trust the issuing authority (and of course make its own judgment of the authenticity of the token presented). With these two steps completed the nightclub has successfully authenticated the patron with regard to the claim that he or she is of legal drinking age.

Continuing the analogy, the nightclub may have a membership system, and certain members may be regular or VIP. The doorman might ask for another token, the membership card, which might make another claim; that the member is a VIP. In this case the trusted issuing authority of the token would probably be the club itself. If the membership card makes the claim that the patron is a VIP, then the club can react accordingly, translating the authenticated VIP membership claim to a permission such as the patron being permitted to sit in the exclusive lounge area and be served free drinks.

See also

References

External links


Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • Identity theft — is a form of stealing another person s identity in which someone pretends to be someone else by assuming that person s identity, typically in order to access resources or obtain credit and other benefits in that person s name. The victim of… …   Wikipedia

  • Identity politics — is political action to advance the interests of members of a group whose members are oppressed by virtue of a shared and marginalized identity (such as race, ethnicity, religion, gender, sexual orientation, or neurological wiring). The term has… …   Wikipedia

  • Identity 2.0 — Identity 2.0, also called digital identity, is the anticipated revolution of identity verification on the internet using emerging user centric technologies such as Information Cards or OpenID. Identity 2.0 stems from the Web 2.0 theory of the… …   Wikipedia

  • Identity resolution — is an operational intelligence process, typically powered by an identity resolution engine or middleware stack, whereby organizations can connect disparate data sources with a view to understanding possible identity matches and non obvious… …   Wikipedia

  • Identity Metasystem — The Identity Metasystem is an interoperable architecture for digital identity that enables people to have and employ a collection of digital identities based on multiple underlying technologies, implementations, and providers. Using this approach …   Wikipedia

  • Identity of Junius — Junius was the pseudonym of a writer who contributed a series of political letters to the Public Advertiser [The Public Advertiser was a political newspaper run by Henry Sampson Woodfall, presumably based in London. His brother of William… …   Wikipedia

  • Ghosting (identity theft) — Ghosting is a form of identity theft in which someone steals the identity, and sometimes even the role within society, of a specific dead person (the ghost ) who is not widely known to be deceased. Usually, the person who steals this identity… …   Wikipedia

  • Digital identity — For related uses, see Internet identity Digital identity is the aspect of digital technology that is concerned with the mediation of people s experience of their own identity and the identity of other people and things. Digital identity also has… …   Wikipedia

  • WSO2 Identity Solution — The WSO2 Identity Solution, enables LAMP and Java websites to provide strong authentication based on the new interoperable Microsoft CardSpace technology and also includes OpenID and OpenID Information Cards, further enhancing the WSO2 Identity… …   Wikipedia

  • Native American identity in the United States — In the United States, there are over 560 federally recognized tribes, and over 1.8 million Native Americans Native American identity in the United States is an evolving topic based on the struggle to define Native American or (American) Indian… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”