Login/Register
Why Claim based authentication instead of role based authentication
Asked Answered
Solved wcfclaims-based-identitysimplemembershiprole-based
C

2

13

I am new to claim based authentication. I have gone throught several aricles and could not able to figure out the exact use of claim based authentication. Here are some doubts I have about claim based authentication.

  1. I would like to know what is the difference and advantages of claim based over role based authentication.
  2. Can we connect to Sql Server 2008 R2 using claim based authentication instead of ADFS? If, so how?
  3. Advantage of using claim based authentication in WCF?

Can anyone provide me with some explanations, so that I can understand Claim based authentication and use with my application?

Crowther answered 27/12, 2012 at 6:2 Comment(1)
In general, the answers to https://mcmap.net/q/126654/-explain-quot-claims-based-authentication-quot-to-a-5-year-old/223837 may be helpful. Note that a security token can include a claim "this user has role R", which an application can then use to do role-based authorisation.Heal
R
6

Ultimately the main benefits to using claims include:

  1. providing a consistent programming model for your services - you don't need to know how to implement a particular security mechanism, one site might use username and password authentication/authorisation, another Active Directory. You services don't care either way because all you are doing is processing the claims in all instances.

  2. You don't need to concern your self with the security implementation. This is done by a third party.

  3. you can customise claims to suit your domain, and treat them as an extension to your authorisation logic - standard security properties usually only provide you only with basic information such as roles. You can of course extend this but then your doing much more work and is often difficult to implement (eg. extending AD is often not so much a technical challenge but a policy constraint - admins are reluctant to modify the AD schema to accomodate a specifioc application).

  4. Interopable - because the claims [format] are based on standards they become much more interopable between services of different languages and domains as the underlying technology for the security is abstracted.

If you are creating new .NET 4.5 WCF Services you can already start using claims as the namespace is backwards compatible with earlier security implementations, so even if you did decide claims wasn't for you now, you would be in a better position to upgrade later.

There is much more to claims than I can write here and I'm sure there will be others with additionbal reasons why considering claims might be a good thing.

Hope this helps.

Roughdry answered 27/12, 2012 at 6:59 Comment(6)
hi stephenl , Thanks for your help. I have one doubt. Is it possible to connect to Sql Server 2008 R2 using claim based authentication instead of ADFS? Can you please tell about this a little more?Crowther
ADFS2 will use pretty much any data source than manages authentication /authorisation (SQL Server, AD, XML...). A search on ADFS2 will provide more detail. Either way, implementing something like this requires a little planning and most probable will require your system administrators participation.Roughdry
@Roughdry That is not entirely true: AD FS 2.0 authenticates only against Active Directory (see https://mcmap.net/q/906912/-can-i-use-adfs-2-0-to-authenticate-certain-users-against-sql-server), but it can create claims from lots of sources.Heal
@MarnixKlooster I was under the impression that if you had SQL Membership provider databases you could also use that, but if that isn't the case I stand corrected. I was only trying to illustrate that there can be multiple sources from which claims can be created.Roughdry
Thanks all for your response. I would like to know that if I can make STS without ADFS. ie, create STS with the help of sql server database without ADFS. Is this scenerio possible. If yes, please provide some guidelines.Crowther
@sujith Have a look at this startersts.codeplex.com this should meet your requirementsRoughdry
D
8

In addition - claims have nothing to do with authentication.

There is no such thing as claims- or role-based authentication. It is about modeling identity in a way your application can work with.

Roles are also claims (with a fixed true/false value) - claims just give you more expressiveness with key/value pairs.

Driftwood answered 27/12, 2012 at 11:35 Comment(0)
R
6

Ultimately the main benefits to using claims include:

  1. providing a consistent programming model for your services - you don't need to know how to implement a particular security mechanism, one site might use username and password authentication/authorisation, another Active Directory. You services don't care either way because all you are doing is processing the claims in all instances.

  2. You don't need to concern your self with the security implementation. This is done by a third party.

  3. you can customise claims to suit your domain, and treat them as an extension to your authorisation logic - standard security properties usually only provide you only with basic information such as roles. You can of course extend this but then your doing much more work and is often difficult to implement (eg. extending AD is often not so much a technical challenge but a policy constraint - admins are reluctant to modify the AD schema to accomodate a specifioc application).

  4. Interopable - because the claims [format] are based on standards they become much more interopable between services of different languages and domains as the underlying technology for the security is abstracted.

If you are creating new .NET 4.5 WCF Services you can already start using claims as the namespace is backwards compatible with earlier security implementations, so even if you did decide claims wasn't for you now, you would be in a better position to upgrade later.

There is much more to claims than I can write here and I'm sure there will be others with additionbal reasons why considering claims might be a good thing.

Hope this helps.

Roughdry answered 27/12, 2012 at 6:59 Comment(6)
hi stephenl , Thanks for your help. I have one doubt. Is it possible to connect to Sql Server 2008 R2 using claim based authentication instead of ADFS? Can you please tell about this a little more?Crowther
ADFS2 will use pretty much any data source than manages authentication /authorisation (SQL Server, AD, XML...). A search on ADFS2 will provide more detail. Either way, implementing something like this requires a little planning and most probable will require your system administrators participation.Roughdry
@Roughdry That is not entirely true: AD FS 2.0 authenticates only against Active Directory (see https://mcmap.net/q/906912/-can-i-use-adfs-2-0-to-authenticate-certain-users-against-sql-server), but it can create claims from lots of sources.Heal
@MarnixKlooster I was under the impression that if you had SQL Membership provider databases you could also use that, but if that isn't the case I stand corrected. I was only trying to illustrate that there can be multiple sources from which claims can be created.Roughdry
Thanks all for your response. I would like to know that if I can make STS without ADFS. ie, create STS with the help of sql server database without ADFS. Is this scenerio possible. If yes, please provide some guidelines.Crowther
@sujith Have a look at this startersts.codeplex.com this should meet your requirementsRoughdry

© 2022 - 2024 — McMap. All rights reserved.