A Guide to Claims-Based Identity and Access Control (2nd Edition)

This book gives you enough information to evaluate claims-based identity as a possible option when you are planning a new application or making changes to an existing one. It is intended for any architect, developer, or information technology (IT) professional who designs, builds, or operates Web applications and services that require identity information about their users.

Although claims-based identity has been possible for quite a while, there are now tools available that make it much easier for developers of Windows-based applications to implement it. These tools include the Windows Identity Foundation (WIF), Microsoft Active Directory® Federation Services (ADFS) v2, and Azure Access Control Service (ACS). This book shows you when and how to use these tools in the context of some commonly occurring scenarios.

An Introduction to Claims explains what a claim is and provides general rules on what makes good claims and how to incorporate them into your application. It's probably a good idea that you read this chapter before you move on to the scenarios.

Claims-Based Architectures shows you how to use claims with browser-based applications and smart client applications. In particular, the chapter focuses on how to implement single sign-on for your users, whether they are on an intranet or an extranet. This chapter is optional. You don't need to read it before you proceed to the scenarios.

Claims-Based Single Sign-On for the Web and Azure is the starting point of the path that explores the implementation of single sign-on and federated identity. This chapter shows you how to implement single sign-on and single sign-out within a corporate intranet. Although this may be something that you can also implement with Integrated Windows Authentication, it is the first stop on the way to implementing more complex scenarios. It includes a section for Microsoft Azure™ technology platform that shows you how to move the claims-based application to the cloud.

Federated Identity for Web Applications shows how you can give your business partners access to your applications while maintaining the integrity of your corporate directory and theirs. In other words, your partners' employees can use their own corporate credentials to gain access to your applications.

Federated Identity with Microsoft Azure Access Control Service is the start of a parallel path that explores Azure Access Control Service (ACS) in the context of single sign-on and federated identity. This chapter extends the scenarios described in the previous chapter to enable users to authenticate using social identity providers such as Google and Windows Live® network of Internet services.

Federated Identity with Multiple Partners is a variation of the federated identity scenario that shows you how to federate with partners who have no issuer of their own as well as those who do. It demonstrates how to use the ASP.NET MVC framework to create a claims-aware application.

Federated Identity with Multiple Partners and Microsoft Azure Access Control Service extends the scenarios described in the previous chapter to include ACS to give users additional choices for authentication that include social identity providers such as Google and Windows Live.

Claims Enabling Web Services is the first of a set of chapters that explore authentication for active clients rather than web browsers. This chapter shows you how to use the claims-based approach with web services, whereby a partner uses a smart client that communicates with identity providers and token issuers using SOAP-based services.

Securing REST Services shows how to use the claims-based approach with web services, whereby a partner uses a smart client that communicates with identity providers and token issuers using REST-based services.

Accessing REST Services from a Windows Phone Device shows how you can use claims-based techniques with Windows Phone™ wireless devices. It discusses the additional considerations that you must take into account when using claims-based authentication with mobile devices.

Claims-Based Single Sign-On for Microsoft SharePoint 2010 begins a path that explores how you can use claims-based identity techniques with Microsoft SharePoint 2010. This chapter shows how SharePoint web applications can use claims-based authentication with an external token issuer such as ADFS to enable access from both internal locations and externally over the web.

Federated Identity for SharePoint Applications extends the previous chapter to show how you can use federated identity techniques to enable users to authenticate using more than one identity provider and token issuer.

AzMan is available for use in the following versions of Windows: Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, or Windows XP. It is deprecated as of Windows Server 2012 R2 and may be removed in subsequent versions.

You have several options depending on your upgrade objectives:

1. Upgrade to EntLib5.0 which still includes the Security Application Block with AzMan wrapper.
2. Use AzMan directly.
3. Upgrade to EntLib 6, but take the source of AzMan wrapper from EntLib5.
4. Use claims-based authorization though that’s a very different model. For more info, I suggest you take a look at this Guide to Claims-Based Identity.

Federation protocols such as WS-Federation and the Security Assertion Markup Language (SAML) have been used as interoperable protocols that are implemented on all major technology platforms.