There is a lot of buzz about Claim based Authentication. In this article, we'll understand what is Claim based Authentication, what are the benefits and a lot more. This is my first article in this series. In subsequent posts, we will see the implementation and more scenarios.
Let's first understand what the need is for Claim based authentication?
We make several user accounts at several portals/websites. Everytime we need to access the corresponding website, we need to remember the username and password and if somehow we forget the password, then we need to remember some specific details like security question, etc. to get the access of the account again. And every time we might not remember all these details. Also, it is never advisable to write your user credentials physically.
One more problem, most of the applications use some authentication mechanism, mainly Classic UserName and Password. As most of the developers are not really security experts; they leave loopholes during development which are easy to break. So it is a major security risk.
Most of the developers have some or the other day worked on the SingleSignOn feature. It's not always been a simple task. It leads to a lot of challenges and many issues after the application is deployed on UAT/Production.
As a user, we create new user credentials (username and password) to many applications on the internet like Facebook, Yahoo, Gmail, etc. and some in-house sites like some college portal, etc. or some enterprise application. So to create new credentials every time and to remember all these credentials and see that all are secure enough is very tedious. If there is any errors, you might lose some credentials and could end up in a big loss.
Imagine the situation where you just need to have one user credential, i.e., username and password and that is enough to access all your portals/websites. This will be an ideal situation. Might be it could not take place completely, but we are somehow moving in this direction.
But how can this take place?
Actually, nowadays, when we create an application which has an authentication page, we need to understand how it works. Actually when user logs in, an Identity is assigned to that session and that Identity is maintained throughout the session until the user logs out or it expires. So let’s view the current scenario.
This means that every application which has some authentication mechanism first authenticates the user and gives an Identity and then the user gets the rights to access the application. So somehow if we can externalize the authentication part from the application, then this will be very helpful and the same authentication application is used by several applications. I explain it pictorially.
So the basic idea is, if there are some applications that do the authentication and provide the Identity (called Identity Provider), and applications rely on this identity, like in our daily life:
The above picture is self-explanatory.
The same mechanism is also followed in Claim based Authentication. There are some authentication/identity providers which are used by various applications whenever a user tries to access some application. The application checks whether the user is authenticated or not, if not, it forwards the user to the Identity provider which actually authenticates the user, gives a token to the user and forwards the user to the application. The application verifies the token and the user is allowed to access the application.
But this is not so easy in a web scenario. There are few challenges - Who are the Identity Providers? - What is the data needed for the relying party, i.e., what data can be transferred from Identity provider and in which form - if there are multiple Identity providers. How does the application trust them?
Actually there are a couple of Identity providers nowadays like Google, Facebook, WindowsLive Id and many more. And even we can develop our own Identity provider for on premise applications. This can be used on Cloud as well.
Now if I am making an application and my application uses some Identity provider to authenticate a user, then the application must understand the token of that Identity provider and also there must be trust relation between the application and Identity providers, so that the application can rely on the token sent by that Identity provider.
Now let us discuss what are the basic things involved in it. These are mainly Identity, Tokens, Claims, Identity Provider or Security Token Service, RP (Relying Party), etc. To move ahead, we need to understand all of these. Let's discuss them one by one.
You can say Identity is a group of information that can uniquely identify anything. Most of the other things also have identity like your own PC, Vehicle, etc. But here, we are talking about person. So in this digital era, we can say a digital identity is a group of information to identify a person.
When this digital identify is passed over wire, it is passed as a stream of bytes and that is known as token. Token contains some set of information about the user in the Claim format. A token can contain multiple claims and every claim contains some specific information. The token is digitally signed so that it can be verified at the receiver end. So we can show this pictorially as:
Sometimes token can be XML based Security Assertion Markup Language (SAML) format. But now, the application uses a rather simpler token call as Simple web Token (SWT). So the benefit is that here, we do not pass user credential but we can also pass some other information of the user to the application.
Identity provider is the key in this technology, this actually authenticates the user and creates the token with claims, as per the requirement and digitally signs it before sending. Identity provider is also known as Security token service. So how does the STS work, let's have a view.
Relying party are the applications that use these Identity Providers for authentication. They just need to understand and verify the token and get all the data from the token itself which is required. But before all this, RP needs to build a trust relationship and tell the Identity provider what all data is needed for a user. So that next time it receives a token, it can verify the issuer and get the required data.
Now you guys got all the basic information about Claim based Authentication. Now let us have a look at how this Identity provider is used.
So this is the basics of Claim based Authentication. In my next article, we'll focus on the implementation part with the help of Windows Identity Foundation WIF.
Do share your views about this post and let me know if I have missed anything.
- 13th October, 2011: Initial post