Monday, July 11, 2011



Authentication, in simple English, we say “The Person is Actually the one what he/she claims to be”.

Like in Famous James Bond Series, if Black Suited, Maybach Driving guy says to you, HI I am Bond , James Bond, will you seriously going to believe him, until or unless you see his ID or “Solid Action” the same thing implies with Technology, and we have to provide a way to our websites, so that  system can authenticate this is the James actually trying to Login the Site.
Microsoft Provides for example Active Directory, in which we can create rules belongs to person and Groups and let the system recognize the access accordingly.

Suppose if James tries to login to our site and he is member of 007 Active Directory and yes it does have access to our site, so James will get access. Till the time our site is running on the basis of Active Directory to which all users of site belong we will have no issue,we don’t need Claims Based Authentication in this .

but this is not the case in General.

So where does requirement comes:

1. Sometimes Rules, Company Laws, etc doesn’t allow to capture everything and publish on the sites, means we cannot ask a user to provide all his personal information and place it on an open internet site.
Example, why a girl who is actually a lady but doesnt look too aged, like to reveal his age to anyone.

2. We work in a Network Environment, where Business Communicates with Other Business and not everyone does have the same Active Directory Authentication and even if they have then it might not be necessary that it will have the same instance of “AD”, Still organization like to provides maximum integration facilities to its users.

So here we go with Claims Based Authentication, it addresses the above challenges.

It addresses privacy and ask very less personal Information from the user and by trusting other parties or systems to do the “proof of identitycheck.

So what does Claims Based Authentication do?

Suppose we have to create a site for a “Pharma Company” which sales its medicines worldwide, called xyzPharma.

But hold on Before implementing authentication, we need to make sure that are we implementing the thing which will pass legal laws of Global Countries, take for example in U.S there are many Supplements/ Shampoos or even drugs which are banned but they are legal in Some other company, so if we have to make this implementation cut to clear then how can we do it, answer is very simple ”Claims Based Authentication”, at the same time we need not to ask who actually the person is,!

It turns out that in the country, the Government has set up a web service that users log on to, which authenticates them based on their citizenId and citizenPassword. It then is able to tell other systems that a user is their country citizen or not, without revealing who that user is.

So we implement our “xyz pharma” website by building a claims-aware system. Instead of building the standard “username and password” login mechanisms, we simply ask the Government’s web service to tell us if the user browsing our site is of which country. The claim that our system uses is a “userCountry” claim, and the claim value is either yes or no. We simply don’t build any authentication system at all beyond a simple “if (userIsofCountry) then..“ statement.

By doing this, we address privacy concerns – we don’t know or keep personally identifiable information – while at the same time ensuring that we don’t sell drugs to someone where it is banned.

Claims Based Authentication:

It actually integrates the different systems by allowing communication via open standards and does provide platform to develop more specialized “identity connectors” between systems.

How is it implemented?

The claims-based authentication implementation has a number of components. In simplified terms here’s how the pieces of technology fit together.

• From a developer’s point of view, the platform that Microsoft is providing is called the Windows Identity Foundation. This used to be called the Geneva framework. It provides a programming library suitable for building claims-aware applications. This library is also used by SharePoint 2010.

• Active Directory Federation Services implements services to create, accept, and transform tokens that contain claims.

• Cardspace provides a user interface for users to select which “identity card” they wish to use for a particular system

For More details read this very good article on Claims Based Authentication:
Claims Based Authentication-Part1