Geeks With Blogs

News kaleidoscope 1817, lit. "observer of beautiful forms," coined by its inventor, Sir David Brewster (1781-1868), from Gk. kalos "beautiful" + eidos "shape" (see -oid) + -scope, on model of telescope, etc. Figurative meaning "constantly changing pattern" is first attested 1819 in Lord Byron, whose publisher had sent him one.
Kaleidoscope Everything under the sun, ending in .Net

There are several terms commonly used to describe claims-based identity, and it is important to clearly define these terms.

· Identity

In terms of Access Control, the term identity will be used to refer to a set of claims made by a trusted issuer about the user.

· Claim

You can think of a claim as a bit of identity information, such as name, email address, age, and so on. The more claims your service receives, the more you’ll know about the user who is making the request.

· Security Token

The user delivers a set of claims to your service piggybacked along with his or her request. In a REST Web service, these claims are carried in the Authorization header of the HTTP(S) request. Regardless of how they arrive, claims must somehow be serialized, and this is managed by security tokens.

A security token is a serialized set of claims that is signed by the issuing authority.

· Issuing Authority & Identity Provider

An issuing authority has two main features.

The first and most obvious is that it issues security tokens.

The second feature is the logic that determines which claims to issue.

This is based on the user’s identity, the resource to which the request applies, and possibly other contextual data such as time of day. This type of logic is often referred to as policy[1].

There are many issuing authorities, including Windows Live ID, ADFS, PingFederate from Ping Identity (a product that exposes user identities from the Java world), Facebook Connect, and more.

Their job is to validate some credential from the user and issue a token with an identifier for the user's account and  possibly other identity attributes. These types of authorities are called identity providers (sometimes shortened as IdP). It’s ultimately their responsibility to answer the question, “who are you?” and ensure that the user knows his or her password, is in possession of a smart card, knows the PIN code, has a matching retinal scan, and so on.

· Security Token Service (STS)

A security token service (STS) is a technical term for the Web interface in an issuing authority that allows clients to request and receive a security token according to interoperable protocols that are discussed in the following section. This term comes from the WS-Trust standard, and is often used in the literature to refer to an issuing authority.

STS when used from developer point of view indicates the URL to use to request a token from an issuer.

For more details please refer to the link


Technorati Tags:
Posted on Sunday, March 21, 2010 4:22 PM | Back to top

Comments on this post: Claims-based Identity Terminology

# re: Claims-based Identity Terminology
Requesting Gravatar...
I have found the STS very useful as it allows clinets to request and receive a security token. It is a very secure process.

Performance Tuning
Left by Harry on May 30, 2010 9:28 PM

Your comment:
 (will show your gravatar)

Copyright © kaleidoscope | Powered by: