[Recommendation] What is security token? What is claim?

Source: Internet
Author: User

MsdnArticleAn example and progressive explanation of these two concepts can be provided to help us better understand them.

The definition of text and related concepts is excerpted here. If you have time to translate them, you can refer to them for readers.


Imagine the following scenario. alice is a user who wants to access shopping services through a Windows domain account. her Domain Controller authenticates her and places a series of Security Identifiers (SIDS) to ticket to create this kerberos ticket. these Sid represents Alice's user account and many domain user groups she has joined. the SID is embedded in ticket and also carries a domain-controlled signature. in identity terminology, "issure" (issuer, domain control) gives Alice a security token, which Alice can use to prove who she is. these methods are the same when Alice uses the Certificate for authentication. the certificate is just another type of security token. here, issure (issuer) is the Certificate Authority (CA), and the certificate publishing goal is Alice. kerberos ticket or certificate is essentially a statement (statement) provided by the publisher for a specific target ). this is two different ways for a trusted institution to guarantee its members. every signed life can be considered as a collection of some claims. in other words, when the domain controller puts Sid in the ticket sent to Alice, that is, the domain controller publishes some claims to Alice. each Sid is a claim. when the CA signs her name and public key to Alice, the Ca publishes claims to Alice. the name and public key in the certificate are claim.


The goal of this new identity model is to abstract the identity, so as to reduce the dependency on a specific type of credential, and it will not be applied to youProgramAny compromise on security. by encoding the identity model in SharePoint 2010, you can process the proxy for user identity authentication, without the Kerberos ticket, but also the Security Assertion Markup Language (SAML) token. this opens the door to an interesting identity architecture (including federated identity.


The following section describes the terms and concepts that can help you understand the claim-based identity architecture.



In a system that you want to secure, identity is a series of attributes that describe a user or other entities.



It can be considered that the claim is an identity information (such as name, email address, age, or sales role ). the more claim your application receives, the more things you know about this user. this information is called claim rather than attribute (they are usually used to describe enterprise-level Directories) because they are transmitted in different ways. in this model, your application does not query the user attributes in the directory. instead, users provide claims to your applications, and your Applications check whether they match. each claim is published by issuer. Your trust in these claims is the same as your trust in issuer. for example, if you trust a claim published by your company's domain controller, it is certainly more than you trust a claim published by a user.


Security token

With a request, the user passes a set of several clags to your application. in a web service, the claim passes through the security header of the SOAP envelope. in a browser-based application, claim uses the http post method to arrive at the server from the user's browser. If session is required later, the claims will be cached in the cookie. no matter how the claim arrives, they must be serialized, and this is where the security token is added.Security token is a set of serialized claim, which is digitally signed by the publisher.. Signature is very important: it gives you a guarantee that users cannot write claim and send it to you. encryption is not necessary in a less secure situation, but it is not within the scope of our discussion.

One of the core features of Windows identify foundation is the ability to create and read security tokens. WIF and Microsoft. NET framework handles all the encryption work and provides your application with a set of clags that can be read by it.


Security token service (STS)

Security token service (STS) is a pipeline of "constructing, signing, and releasing security token" based on the Interoperability Protocol. it takes a lot of work to implement these protocols, but WIF has done all of these work for you so that it can be used by non-protocol experts, it can be used to construct and launch the Security token service at a very low cost.

WIF makes it easier to construct your own STS. How to Implement logic, rules depend entirely on you, and you need to enforce these logic and rules (usually called security policies and security policies ).


Issuing Authority

There are many types of issuing authorities, from creating a Kerberos ticket domain controller to the authority that publishes an X509 Certificate. the specific organization type discussed here will publish security tokens with claim. this publisher is a Web application or web service that publishes security tokens. it must be able to publish the appropriate claim based on the target relying party (dependent party) and the user sending the request, and may also be responsible for interacting with the user directory, to find the claim and authenticated users.

No matter what issuing authority you choose, it plays an important role in your authentication solution. after you exclude the certification from your application by relying on claim, you will be responsible for the organization and ask the organization to authenticate the user for you.


Relying party

When you build a claim-dependent application, you are constructing a relying party application. synonyms of the relying party include "claims-Aware Application" and "claims-based application ". both web applications and Web services are relying parties.

A relying party application uses tokens released by STS to extract the claim from the tokens and uses the claim for individual identification of related tasks. STS supports two rely party applications: Asp. net web applications and Windows Communication Foundation (WCF) Web Services.



To ensure that all these concepts and actions are interoperable, many standards starting with WS-are applied, and the same is true for the previous scenarios. WS-metadataexchange is used to obtain the security policy, which is constructed according to the structure of the WS-policy standard. STS exposes the WS-trust standard endpoint, which describes how to request and accept the Security token. today, most STS release tokens in the Security Assertion Markup Language (SAML) format. SAML is an XML dictionary for industrial recognition and can be used to display claim in an interoperable manner. or, in a multi-platform scenario, this enables you to communicate with STS on a completely different platform, and achieve single-point logon across all applications, regardless of the platform.


Browser-based applications

The smart client does not allow you to use all the. browser-based applications (also called passive clients) of the Identity Model Based on claim. The following scenario describes how this works:

First, the user allows the browser to access a claim-based Web application (that is, relying party application ). web applications redirect browsers to STS so that users can be authenticated. STS is stored in a simple web application. It reads incoming requests, authenticates users through the standard HTTP mechanism, creates SAML tokens, and then uses some ecmascript (JavaScript, JScript)CodeThe code can cause the browser to send an http post request with the SAML Token back to the relying party application. the body of the POST request contains the claims required by the relying party. at this time point, it is very common for the relying party to package the claim into a cookie, so that this user does not have to be redirected to authenticate for each request later.


Data Source


Why use claims-based Identity


Claims-based identity overview and concepts


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.