Can NameIdentifier and IdentityProvider (WIF) claims be used to uniquely identify any user?

Asked 19/4, 2011 at 7:40 Answered 19/5, 2011 at 15:13

azure wif claims-based-identity claims acs

Thinking of using Access Control Service (ACS) and Windows Identity Foundation (WIF) to secure my WCF Data Services Web API application.

How can I use claims to uniquely identify a user?

My idea is to use the combination of the standard claim NameIdentifier and the WIF claim IdentityProvider combined to create a unique ID for any user.

Is this combo truly stable and unique? Could an IP suddenly change it's IdentityProvider string?

The idea here is to store the concatenated string of the two halves as a unique ID for any user.

Does the NameIdentifier claim have any security implications?

Cheers,

Keikokeil answered 19/4, 2011 at 7:40 Comment(0)

This seems reasonable. Note that nameidentifier is IdP specific, meaning it is supplied by the identity provider you authenticated with (e.g. LiveID, Google, etc). ACS is simply copying this value into a claim. Check with each one of those providers to see what guarantees they make. My assumption is that they should not change for a "returning user" -> someone who posseses the same username/Password.

People often use e-mail addresses as well. When available, you might want to correlate it too as an extra measure.

Nephelometer answered 22/4, 2011 at 16:28 Comment(1)

Thank you for the answer. I concur - it is my line of reasoning also. I could add an IP-ID claim to the output which I would have full control over for the future but for the nameidentifier there is no such useful method and if it'd change I still would not be able to match it to my algorithm. On the other hand it seems very illogical that an IP would ever change their values of either nameidentifier or identityprovider. In my book this is globally unique and stable. It would be nice to see from the IPs a "code of conduct assurance" or something where this type of question would be addressed. – Keikokeil 23/4, 2011 at 5:57

Justin Smith mentioned this in his MIX11 talk (see slide 22, 28 minutes into the talk) - it was my understanding that ACS gives you the nameidentifier and the IdP name. You take the tuple together and it should be good for unique id.

Huai answered 19/5, 2011 at 15:13 Comment(1)

Yeah I agree it does sound as if the ACS adds the IP Claim. However when you look at those they are very much on different base. One is a URI look-a-like and another is a short string. Makes me wonder if they are not supplied by the IP anyway? – Keikokeil 20/5, 2011 at 9:20

Recommended topics

Hot tags