.NET Zone is brought to you in partnership with:

I'm a software developer working as a senior consultant at Kentor in Stockholm, Sweden. My core competence is as a technical specialist within development and system architecture. In my heart I am, and probably will remain, a programmer. I still think programming is tremendously fun, more than 20 years after I first tried it. That's why my blog is named Passion for Coding.  Anders is a DZone MVB and is not an employee of DZone and has posted 74 posts at DZone. You can read more from them at their website. View Full User Profile

All .NET Identities Now Derive from ClaimsIdentity

  • submit to reddit

With .NET 4.5 a new base class for identities was introduced: the ClaimsIdentity class. The reason is that Windows Identity Foundation has been fully incorporated into the .NET framework and it has really improved the .NET identity model.

What is a Claim?

This might be a stupid question – but I’ve had a hard time to find a definition on what a claims identity is that feels natural. (It might be a language issue as I’m not a native English speaker and find the word claim somewhat hard to proper translate to Swedish).

I prefer to explain a claim as a piece of fact. A claims identity is a set of claims or facts, bundled together in an identity. Each claim is made up of a key and a value. An example identity for me could contain these claims:


So far this is just a set of claims or facts. Being structured as a list of keys and values, it can contain pretty much whatever you want. In this case I’ve used the wellknown types for standard parameters, but you can define your own too. Thanks to the flexible structure, any kind of identity can be expressed as a claims identity. It is not only possible – it is used! The old identity classes have all been rewritten to inherit from the new ClaimsIdentity class.

The Authority

Producing a set of claims is easy – I can make up my own that claims I’m part of the super enterprise extra control administrators group. The make a security system complete there must be an issuer. In the case of a WindowsIdentity, the Windows Operating system authenticates the user and issues the identity. In the case of more complex federation scenarios there is a secure ticket service (STS) that issues the identity, in the form of a cryptographically signed set of claims.

Everything is now a ClaimsIdentity

The old WindowsIdentity class has been rewritten to inherit from ClaimsIdentity. Internally it overrides everything and relies on the old code, but still – it is a huge step towards a more general identity model to have everything behave as claims identities.

I used the following code snippet to output my current Windows identity a set of claims:

ClaimsIdentity identity = WindowsIdentity.GetCurrent();
foreach (var c in identity.Claims)
    Console.WriteLine("{0}: {1}\n", c.Type, c.Value);

It outputs my user name and the Windows Security IDs of my user and the groups I belong to, presented as claims.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: MYDOMAIN\MYUSER
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid: S-1-5-21-2456453529-233585608-1594492042-3571
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid: S-1-5-21-2456453529-233585608-1594492042-513
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-21-2456453529-233585608-1594492042-513
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-1-0
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-21-2859876727-1261456666-3238956704-1013
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid: S-1-5-32-544
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-32-545
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-4
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-2-1
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-11
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-5-15
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid: S-1-2-0
... continued ...
Multiple Authentication Schemes

In a current project, I am about to implement multiple authentication methods into the same application. Having all those authentication methods produce compatible claims identities is a huge advantage. To allow another authentication scheme, the only thing needed is another authentication module that produces the claims identity.

Once inside the application, the authorization code only assumes that there is a claims identity and works against those claims. The authentication and authorization have effectively been decoupled and can be changed independently.

Published at DZone with permission of Anders Abel, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)