Click here to Skip to main content
15,065,044 members
Articles / Programming Languages / C#
Posted 13 Oct 2011


72 bookmarked

Claim Based Authentication and WIF: Part 1

Rate me:
Please Sign up or sign in to vote.
4.92/5 (57 votes)
13 Oct 2011CPOL6 min read
This article discusses the basics of Claim based Authentication. This is the first part of the Series.


There is a lot of buzz about Claim based Authentication. In this article, we'll understand what is Claim based Authentication, what are the benefits and a lot more. This is my first article in this series. In subsequent posts, we will see the implementation and more scenarios.

Let's first understand what the need is for Claim based authentication?

Problems with Current Authentication

We make several user accounts at several portals/websites. Everytime we need to access the corresponding website, we need to remember the username and password and if somehow we forget the password, then we need to remember some specific details like security question, etc. to get the access of the account again. And every time we might not remember all these details. Also, it is never advisable to write your user credentials physically.

One more problem, most of the applications use some authentication mechanism, mainly Classic UserName and Password. As most of the developers are not really security experts; they leave loopholes during development which are easy to break. So it is a major security risk.

Most of the developers have some or the other day worked on the SingleSignOn feature. It's not always been a simple task. It leads to a lot of challenges and many issues after the application is deployed on UAT/Production.

As a user, we create new user credentials (username and password) to many applications on the internet like Facebook, Yahoo, Gmail, etc. and some in-house sites like some college portal, etc. or some enterprise application. So to create new credentials every time and to remember all these credentials and see that all are secure enough is very tedious. If there is any errors, you might lose some credentials and could end up in a big loss.


Imagine the situation where you just need to have one user credential, i.e., username and password and that is enough to access all your portals/websites. This will be an ideal situation. Might be it could not take place completely, but we are somehow moving in this direction.

But how can this take place?

Actually, nowadays, when we create an application which has an authentication page, we need to understand how it works. Actually when user logs in, an Identity is assigned to that session and that Identity is maintained throughout the session until the user logs out or it expires. So let’s view the current scenario.

Application using Authentication

This means that every application which has some authentication mechanism first authenticates the user and gives an Identity and then the user gets the rights to access the application. So somehow if we can externalize the authentication part from the application, then this will be very helpful and the same authentication application is used by several applications. I explain it pictorially.

Externalize the Authentication

So the basic idea is, if there are some applications that do the authentication and provide the Identity (called Identity Provider), and applications rely on this identity, like in our daily life:

daily Life scenario

The above picture is self-explanatory.

Claim Based Authentication

The same mechanism is also followed in Claim based Authentication. There are some authentication/identity providers which are used by various applications whenever a user tries to access some application. The application checks whether the user is authenticated or not, if not, it forwards the user to the Identity provider which actually authenticates the user, gives a token to the user and forwards the user to the application. The application verifies the token and the user is allowed to access the application.

But this is not so easy in a web scenario. There are few challenges - Who are the Identity Providers? - What is the data needed for the relying party, i.e., what data can be transferred from Identity provider and in which form - if there are multiple Identity providers. How does the application trust them?

Actually there are a couple of Identity providers nowadays like Google, Facebook, WindowsLive Id and many more. And even we can develop our own Identity provider for on premise applications. This can be used on Cloud as well.

Now if I am making an application and my application uses some Identity provider to authenticate a user, then the application must understand the token of that Identity provider and also there must be trust relation between the application and Identity providers, so that the application can rely on the token sent by that Identity provider.

Basics of Claim based Authentication

Now let us discuss what are the basic things involved in it. These are mainly Identity, Tokens, Claims, Identity Provider or Security Token Service, RP (Relying Party), etc. To move ahead, we need to understand all of these. Let's discuss them one by one.

What is an Identity

You can say Identity is a group of information that can uniquely identify anything. Most of the other things also have identity like your own PC, Vehicle, etc. But here, we are talking about person. So in this digital era, we can say a digital identity is a group of information to identify a person.

Token and Claims

When this digital identify is passed over wire, it is passed as a stream of bytes and that is known as token. Token contains some set of information about the user in the Claim format. A token can contain multiple claims and every claim contains some specific information. The token is digitally signed so that it can be verified at the receiver end. So we can show this pictorially as:

Token with Claims

Sometimes token can be XML based Security Assertion Markup Language (SAML) format. But now, the application uses a rather simpler token call as Simple web Token (SWT). So the benefit is that here, we do not pass user credential but we can also pass some other information of the user to the application.

Identity Provider and STS

Identity provider is the key in this technology, this actually authenticates the user and creates the token with claims, as per the requirement and digitally signs it before sending. Identity provider is also known as Security token service. So how does the STS work, let's have a view.

Identity Provider

RP (Relying Party)

Relying party are the applications that use these Identity Providers for authentication. They just need to understand and verify the token and get all the data from the token itself which is required. But before all this, RP needs to build a trust relationship and tell the Identity provider what all data is needed for a user. So that next time it receives a token, it can verify the issuer and get the required data.

Complete Scenario

Now you guys got all the basic information about Claim based Authentication. Now let us have a look at how this Identity provider is used.

Complete System

So this is the basics of Claim based Authentication. In my next article, we'll focus on the implementation part with the help of Windows Identity Foundation WIF.

Do share your views about this post and let me know if I have missed anything.


  • 13th October, 2011: Initial post


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Software Developer (Senior)
India India
Brij is a 3-times Microsoft MVP in ASP.NET/IIS Category and a passionate .NET developer. More than 6 years of experience in IT field, currently serving a MNC as a Tech Lead/Architect.

He is a very passionate .NET developer and have expertise over Web technologies like ASP.NET 2.0/3.5/4.0, jQuery, JSON, Javascript, IIS and related technologies. He is also a Exchange Server (EWS) Specialist. He has great experience in design patterns and N-Tier Architecture.

He is also certified as Microsoft Certified Technologies Specialist-ASP.NET and Microsoft Certified Technologies Specialist-WCF in .NET 4.0. He has also received several awards at various forums and his various articles got listed as "Article of the day" at ASP.NET Microsoft Official Website

He has done MCA from NIT Durgapur and completed his graduation from Lucknow University.

Learning new technologies and sharing knowledge excites him most. Blogging, solving problems at various forums, helping people, keeps him busy entire day.

Visit his Blog: Code Wala

Area of Expertise :
C#, ASP.NET 2.0,3.5,4.0, AJAX, JQuery, JSON, XML, XSLT, ADO.Net, WCF, Active Directory, Exchange Server 2007 (EWS), Java script, Web Services ,Win services, DotnetNuke, WSS 3.0,Sharepoint Designer, SQL Server 2000/2005/2008

Comments and Discussions

QuestionNice but where is the second part?! Pin
hassanlou16-Jul-16 19:34
Memberhassanlou16-Jul-16 19:34 
QuestionNice Article Pin
Alireza_13628-Oct-15 23:27
MemberAlireza_13628-Oct-15 23:27 
SuggestionLinks to other articles. Pin
eferreyra24-Jul-14 1:59
Membereferreyra24-Jul-14 1:59 
QuestionMy vote of 5: Very good explanation of Claims Based Authentication Pin
woutercx5-Oct-13 12:03
Memberwoutercx5-Oct-13 12:03 
GeneralMy vote of 5 Pin
Josh_T10-Mar-13 10:18
MemberJosh_T10-Mar-13 10:18 
GeneralMy vote of 5 Pin
Nikhil_S10-Jan-13 1:58
professionalNikhil_S10-Jan-13 1:58 
GeneralRe: My vote of 5 Pin
Brij14-Feb-13 19:41
mentorBrij14-Feb-13 19:41 
GeneralMy vote of 5 Pin
ChetanPareek17-Dec-12 1:45
MemberChetanPareek17-Dec-12 1:45 
GeneralRe: My vote of 5 Pin
Brij17-Dec-12 5:54
mentorBrij17-Dec-12 5:54 
GeneralMy vote of 5 Pin
Savalia Manoj M18-Nov-12 17:00
MemberSavalia Manoj M18-Nov-12 17:00 
Questionweblogic service interoperability Pin
WebMaster27-Sep-12 1:35
MemberWebMaster27-Sep-12 1:35 
GeneralNice aritcle Pin
Ejjini12-Sep-12 20:23
MemberEjjini12-Sep-12 20:23 
GeneralRe: Nice aritcle Pin
Brij13-Sep-12 3:22
mentorBrij13-Sep-12 3:22 
QuestionVery very good article Pin
TeotiaRajeev24-Jul-12 0:00
MemberTeotiaRajeev24-Jul-12 0:00 
AnswerRe: Very very good article Pin
Brij24-Jul-12 4:13
mentorBrij24-Jul-12 4:13 
GeneralMy vote of 4 Pin
Rahul Bandopadhyaya19-Jun-12 21:44
MemberRahul Bandopadhyaya19-Jun-12 21:44 
great for understanding the base of claims based authentication
GeneralMy vote of 5 Pin
Sandeepkumar Ramani29-Mar-12 1:54
MemberSandeepkumar Ramani29-Mar-12 1:54 
GeneralMy vote of 4 Pin
_Zorro_19-Dec-11 4:19
professional_Zorro_19-Dec-11 4:19 
GeneralMy vote of 5 Pin
jonymargo11-Dec-11 13:51
Memberjonymargo11-Dec-11 13:51 
GeneralRe: My vote of 5 Pin
Brij15-Dec-11 5:54
mentorBrij15-Dec-11 5:54 
GeneralMy vote of 4 Pin
lzlstyle12-Nov-11 15:18
Memberlzlstyle12-Nov-11 15:18 
GeneralMy vote of 5 Pin
priyanka Dhoble17-Oct-11 21:27
Memberpriyanka Dhoble17-Oct-11 21:27 
GeneralRe: My vote of 5 Pin
Brij18-Oct-11 7:05
mentorBrij18-Oct-11 7:05 
GeneralMy vote of 5 Pin
Monjurul Habib14-Oct-11 9:34
professionalMonjurul Habib14-Oct-11 9:34 
GeneralRe: My vote of 5 Pin
Brij14-Oct-11 10:49
mentorBrij14-Oct-11 10:49 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.