Saturday, January 31, 2009

What is a Claim?

See also previous post on Claims-based authentification in next SharePoint

So, what is this claim and claims-based model that generates so much fuzz?

The claims-based model has three components:
1. the relying party, which needs the claim in order to decide what it is going to do
2. the identity provider, which provides the claim
3. the user, who decides what if any information he wants to provide.

Claims can contain static information such as birth date or credit card info, relationship-based information such as group membership or derived claims that make general assertions such as the user is over 21 years of age. There are also metaclaims about how information was verified, such as in-person registration, or how it was issued.

Claims can be used in three ways:
1. to securely transmit the requesting user’s identity across machines
2. provide application-specific concepts, such as roles, so applications can augment claims about the user and allow applications to reason about those claims in the context of authorization decisions
3. interoperate with multiple authentication providers in a consistent manner.

© Copyright 2009, Tomas Elfving

Claims-based authentification in next SharePoint

Microsoft is replacing the authentication system for SharePoint Server and will instead rely on a new claims-based identity model.

The goal is to have SharePoint incorporate an authentication model that works with any corporate identity system, including Active Directory, LDAPv3-based directories, application-specific databases and new user-centric identity models(LiveID, OpenID) and InfoCard systems(Microsoft’s CardSpace and Novell’s Digital Me).

SharePoint will lose the current authentication system, criticised for its rigidity, in favor of using claims about a user, such as age or group membership, that are passed to obtain access to the SharePoint environment and systems accessed from Sharepoint applications.

The claims architecture, part of Microsoft’s Metasystem model for a distributed identity architecture, is based on such protocols as WS-Federation, WS-Trust and the Security Assertion Markup Language (SAML). The Metasystem includes an emerging technology Microsoft developed called Security Token Service (STS), which handles the exchange of claims.

Claims could be built dynamically, picking up information about users and validating existing claims via a trusted source. The advantage of a claims-based system is that it is flexible and designed for heterogeneous identity environments.

From a stratigic point of view, the interesting thing is that Microsoft hopes that the claims architecture, which can be built on technologies available today, will replace identity systems that are based on a single-point-of-truth, typically a directory of user information. Most of today's identity management system are based on the single-point-of-truth policy.

© Copyright 2009, Tomas Elfving