Thursday, July 21, 2011

Identity providers, security token service and claim based authentication concept

Identity providers, security token service and claim based authentication concept
Security in IT field is vast topic. Today I just decided to discuss some of the basic terminologies that are used in the context of “identity and access management”.
I will address following questions (of course according to my understanding) –
1.     Why we need identity providers?
2.     What are identity providers? How it helps in identity and access management?
3.     What is claim?
4.     What is claim based authentication? How it is different from certificate based authentication and integrated windows authentication?
5.     What is claim based identity?
6.     How to implement Claim Based Identity?
7.     What is relying party?
8.     What is an STS (security token service)
9.     How to establish STS (secure token service) trust between relying party and identity provider?

If you know above terms you may like to have a look directly at - Implementing Claim Based Authentication.  However I will strongly recommend you to go through the following contents.

Need of Identity Provider – Today number of web sites growing exponentially. The motive of each web site today is to provide services to the user. Hence these are service providers. However most of the time service providers have to worry about authentication of the users which diverts service providers from their main aim of providing services to the user. To overcome this problem, typically service providers do not authenticate users but instead requests authentication to be carried out by other organization. The organizations which take care of authentication decisions are Identity Providers. This eliminates the need for multiple IDs and authentication mechanisms for service providers.
Typically, service providers do not authenticate users but instead request authentication decisions from an identity provider. Service providers rely on identity providers to assert the identity of a user, and rely on identity providers to manage user identities.
An identity provider (IdP) is an organization where you have an account and can log in to gain access to online services. An identity provider is a service that issues security tokens. The identity provider handles the management of user identities in order to free the service provider from this responsibility.
Identity provider is a kind of service provider that creates, maintains, and manages identity information and provides authentication to other service providers.
Identity providers provide identity and access management with the help Claim based authentication and STS.
Let’s understand what is certificate based authentication and integrated windows authentication is.
Integrated windows authentication – This is the most common type of authentication mechanism used. When user provides credentials to domain controller, after validating, DC returns you a Kerberos Ticket. This ticket consists of security identifiers (SID). This represents user’s account and domain group to which user belongs. It also contains the signature of domain controller. In other words, an issuer (in this case Domain Controller) has given a security token to subject (in this case user who provides credentials) which user can use to prove its identity.

Certificate based authentication – Same idea apply when you use certificate based authentication. A certificate is just another type of security token. The issuer of token in this case will be certificate authority (CA) and subject is again user.    
These two are just different ways of representing trusted identity. The authentication logic in both of these methods is quite complex and includes lot of challenges. For example, in integrated windows authentication, Kerberos ticket just gives you user’s account and list of groups. What if your application needs an email of user to send mail? To get this type of other related information you need to configure Active Directory which is not an easy task. In such scenarios, Claim based identity simplifies the implementation.
Claim based identity allows you to factor out the authentication logic from individual applications. Instead of the application determining who the user is, it receives claim that identify the user. Hence claims help you to factor out the authentication logic out of your applications.
So what is Claim in claim based authentication?
A claim is basically a statement about the subject (or user of your application). It is authenticated information about the subject. For example, name, identity key, group information etc information which will be used by your application to authorize the subject for access.
Microsoft Pattern and Practices – A Guide to Claim-based identity book explains this with very nice example. Claim based authentication is everywhere. One of the good examples of real life claim identity system is Airport boarding Pass. To enter into Airplane you need a boarding pass.
When you go to counter for boarding pass, your passport is verified. Then picture is matched with your face and officer checks if you have paid for the ticket. Assuming all this is in place you receive a boarding pass. Now gate agents will check only your boarding pass. They don’t need information about whether you have passport, tickets and other details.  Also boarding pass has some magnetic strips which prove that it has been issued from airline counter and it is not a fraud.
If you boarding pass is proper then you can board in flight.
Here in other words, we can say that, every single piece of information in boarding pass is a claim. All claims or information units are bundled in boarding pass. This boarding pass is your SECURTY TOKEN. Gate agent verifies that, you have boarding pass with valid information; which means you are an authenticated user. Also boarding pass has the flight number and seat number which tells gate agent about the resources to which you have access to or in other words, this information tells about authorization.
Here gate agent becomes your application, boarding pass is your security token, airport counter is your issuer which issues you a security token (a boarding pass).
In software terminology, the bundle of claims is called a security token. Each security token is signed by the issuer who created it. A claim based application considers users to be authenticated if they present a valid, signed security token from a trusted issuer.
The above pattern is explained in diagram as follows – 

Security Token – In software terminology, security token is a representation of the claims that has been cryptographically signed by the issuer of the claims, providing strong proof to any relying party (application or Gate agent in above scenario) as to the integrity of the claims and identity of the issuer.
Security Token Service – It is a web service that issues security tokens. Example – ADFS is an example of STS. STS is also called as Issuer. It is a web service that issues claims and packages them in encrypted security tokens.
Relying Party – It is an application that relies on security tokens issued by identity providers. If you develop an application which is claim based application then you can call it as relying party. You always have to establish STS trust between relying party and identity provider.

Alright, here I finish with answering all the above addressed questions. Lot of explanation but I hope you had fun reading it. I tried at my level best to keep it simple. Hope it helps.

Next – Implementing Claim Based Authentication.

Happy Programming!!


  1. Thanks a lot! The concept is explained very well and in simple language. The example you have given is very good and helps to understand the concept.
    Thanks once again.