wifgeneva-frameworkclaims-based-identity

Custom Claims with Geneva framework and how to "synch" users whitin your app


Maybe this question highlights how little I know about claims identity management, but here it goes.

If using WIF within an application that uses a third party STS for Identity and that uses custom claims for authorization ( something pertinent and specificto the application like CanCreateFooBar )

1) How do I manage the users? Ie, the users from say AD or other membership provider can be identified, but internally in my system i need to know about them and have more user information that has nothing to do with Identity ( so it woulndt really make sense to have this info available outside the system), and that information about the user should be persisted,
The question is How can I manage and create my system data (Starting by the Ids) in a smart way?
The exact scenario I have in my mind is A new employee is added to the company, sys admin creates the user for the Domain with a particular role, how can my system becoem aware of this fact? ( i would probably like the system to prompt an administrator of the system for an action

2) Where are the claim values for those users and roles stored and how can I modify them? Ideally I want to be able to change the perimissions for a particular user and action. Are there any guidelines on this?

I can see that these are probably very lame questions but when I think about how to solve the problem I come up with over complicated solutions or with solutions that require a lot of duplicaiton ( ie create the used in two places ) so I m sure I m just not thinking about this problem in the right way

Thanks


Solution

  • 1) You don't manage the users, not really. You simply take the IClaimsIdentity and use that as the source for your authorization. In my opinion you shouldn't be persisting the claims if you can get away without doing it - the claims should be the source of your user information.

    If you want to build upon the claims then take a unique reference from the claims identity, say email address or ppid/signing key OU hash and use that to build your own database, and add your own information.

    However your system will never become away of changes in a 3rd party identity metabase - not until a new SAML token is issued and parsed in your application.

    2) The claims values are stored nowhere, unless you store them. How you translate that into permissions is up to you - but generally you perform claims transformation to take the external claims and map them to claims internal to your application that you use for permissions. Because claims are coming from external providers you can't change them - you have no connection to those providers.