A Guide to Claims-Based Identity and Access Control (2nd Edition)

Check out the sections related to federating SharePoint -  specifically logout to compliment your readings from the SharePoint whitepaper. 


Summary | Contents | Overview - Contents of the Guide , Audience Requirements , System Requirements , Application Server , ADFS , Active Directory , Client Computer | Community | Future Plans | Feedback and Support | Authors and Contributors | Related Titles


patterns & practices Developer Center

September  2011


Imagine a world where you don't have to worry about authentication. Imagine instead that all requests to your application already include the information you need to make access control decisions and to personalize the application for the user.

In this world, your applications can trust another system component to securely provide user information, such as the user's name or email address, a manager's email address, or even a purchasing authorization limit. The user's information always arrives in the same simple format, regardless of the authentication mechanism, whether it's Microsoft® Windows® integrated authentication, forms-based authentication in a web browser, an X.509 client certificate, or something more exotic. Even if someone in charge of your company's security policy changes how users authenticate, you still get the information, and it's always in the same format. This is the utopia of claims-based identity that A Guide to Claims-Based Identity and Access Control describes.

This is the second edition of this popular guide. It has been extensively updated to include new features and changes to the underlying technologies; and extends the coverage to encompass Windows Azure® Access Control Service, REST-based service authentication, and the use of claims-based authentication in Microsoft SharePoint® 2010. As you'll see, claims provide an innovative approach for building all types of applications that must authenticate and authorize users. 

This edition also has a set of associated Hands-on-Labs that will help you to better understand the way that the example application works, how you can extend it with additional functionality, and how you can implement some of the advanced scenarios described in the guide.


Example code




The samples for this content are licensed under the Microsoft Public License (Ms-PL) which can be found at http://www.microsoft.com/en-us/openness/resources/licenses.aspx#MPL




Future Plans

Feedback and Support

Authors and Contributors

Related Titles


This book gives you enough information to evaluate claims-based identity as a possible option when you are planning a new application or making changes to an existing one. It is intended for any architect, developer, or information technology (IT) professional who designs, builds, or operates Web applications and services that require identity information about their users.

Although claims-based identity has been possible for quite a while, there are now tools available that make it much easier for developers of Windows-based applications to implement it. These tools include the Windows Identity Foundation (WIF), Microsoft Active Directory® Federation Services (ADFS) v2, and Windows Azure Access Control Service (ACS). This book shows you when and how to use these tools in the context of some commonly occurring scenarios.

Contents of the Guide


An Introduction to Claims explains what a claim is and provides general rules on what makes good claims and how to incorporate them into your application. It's probably a good idea that you read this chapter before you move on to the scenarios.

Claims-Based Architectures shows you how to use claims with browser-based applications and smart client applications. In particular, the chapter focuses on how to implement single sign-on for your users, whether they are on an intranet or an extranet. This chapter is optional. You don't need to read it before you proceed to the scenarios.

Claims-Based Single Sign-On for the Web and Windows Azure is the starting point of the path that explores the implementation of single sign-on and federated identity. This chapter shows you how to implement single sign-on and single sign-out within a corporate intranet. Although this may be something that you can also implement with Integrated Windows Authentication, it is the first stop on the way to implementing more complex scenarios. It includes a section for Windows Azure™ technology platform that shows you how to move the claims-based application to the cloud.

Federated Identity for Web Applications shows how you can give your business partners access to your applications while maintaining the integrity of your corporate directory and theirs. In other words, your partners' employees can use their own corporate credentials to gain access to your applications.

Federated Identity with Windows Azure Access Control Service is the start of a parallel path that explores Windows Azure Access Control Service (ACS) in the context of single sign-on and federated identity. This chapter extends the scenarios described in the previous chapter to enable users to authenticate using social identity providers such as Google and Windows Live® network of Internet services.

Federated Identity with Multiple Partners is a variation of the federated identity scenario that shows you how to federate with partners who have no issuer of their own as well as those who do. It demonstrates how to use the ASP.NET MVC framework to create a claims-aware application.

Federated Identity with Multiple Partners and Windows Azure Access Control Service extends the scenarios described in the previous chapter to include ACS to give users additional choices for authentication that include social identity providers such as Google and Windows Live.

Claims Enabling Web Services is the first of a set of chapters that explore authentication for active clients rather than web browsers. This chapter shows you how to use the claims-based approach with web services, whereby a partner uses a smart client that communicates with identity providers and token issuers using SOAP-based services.

Securing REST Services shows how to use the claims-based approach with web services, whereby a partner uses a smart client that communicates with identity providers and token issuers using REST-based services.

Accessing REST Services from a Windows Phone Device shows how you can use claims-based techniques with Windows Phone™ wireless devices. It discusses the additional considerations that you must take into account when using claims-based authentication with mobile devices.

Claims-Based Single Sign-On for Microsoft SharePoint 2010 begins a path that explores how you can use claims-based identity techniques with Microsoft SharePoint 2010. This chapter shows how SharePoint web applications can use claims-based authentication with an external token issuer such as ADFS to enable access from both internal locations and externally over the web.

Federated Identity for SharePoint Applications extends the previous chapter to show how you can use federated identity techniques to enable users to authenticate using more than one identity provider and token issuer.

Audience Requirements

Although applications that use claims-based identity exist on many platforms, this book is written for people who work with Windows-based systems. You should be familiar with the Microsoft .NET Framework, ASP.NET, Windows Communication Foundation (WCF), Microsoft Active Directory®, and Microsoft Visual C#®.

System Requirements

You can either run the samples that illustrate the scenarios in the guide on your own system or you can create a realistic lab environment. Running the scenarios on your own system is very simple and has only a few requirements. These are the system requirements for running the scenarios on your system:

  • Microsoft Windows Vista® SP1, Windows 7, Windows Server 2008 (32-bit or 64-bit), or Windows Server 2008 R2 (32-bit or 64-bit)
  • Microsoft Internet Information Services (IIS) 7.0 or 7.5
  • Microsoft .NET Framework 4.0
  • Microsoft Visual Studio® 2010 (excluding Express editions)
  • Windows Azure Tools for Microsoft Visual Studio
  • Windows Identity Foundation

Running the scenarios in a realistic lab environment, with an instance of Active Directory Federation Services (ADFS) and Active Directory, requires an application server, ADFS, Active Directory, and a client system. Here are their system requirements.

Note: The example code for this guide and for the associated Hands-on-Labs was built using the Windows Azure Tools for Visual Studio version 1.3 (March 2011), and has also been tested using version 1.4 (August 2011) of the tools. The Dependency Checker utility provided with the examples will check for the presence of either the version 1.3 or version 1.4 release of the tools. If you have version 1.4 installed, you will be prompted to migrate the solutions to this version when you open them in Visual Studio.

Application Server

The application server requires the following:

  • Windows Server 2008 or Windows Server 2008 R2
  • Microsoft Internet Information Services (IIS) 7.0 or 7.5
  • Microsoft Visual Studio 2010 (excluding Express editions)
  • .NET Framework 4.0
  • Windows Identity Foundation


The ADFS server requires the following:

  • Windows Server 2008 or Windows Server 2008 R2
  • Microsoft Internet Information Services (IIS) 7.0 or 7.5
  • .NET Framework 4.0
  • Microsoft SQL Server® 2005 or 2008 Express Edition

Active Directory

The Active Directory system requires Windows Server 2008 or Windows Server 2008 R2 with Active Directory installed.

Client Computer

The client computer requires Windows Vista or Windows 7 for active scenarios. Passive scenarios may use any web browser as the client that supports HTTP redirection.


This guide, like many patterns & practices deliverables, is associated with a community site. On this community site, you can post questions, provide feedback, or connect with other users for sharing ideas. Community members can also help Microsoft plan and test future guides, and download additional content such as extensions and training material.

Future Plans

Additional content and plans will be published to the community site.

Feedback and Support

Questions? Comments? Suggestions? To provide feedback about this guide, or to get help with any problems, please visit the Community site. The message board on the community site is the preferred feedback and support channel because it allows you to share your ideas, questions, and solutions with the entire community. A Guide to Claims-based Identity and Access Control is a guidance offering, designed to be reused, customized, and extended. It is not a Microsoft product. Code-based guidance is shipped "as is" and without warranties. Customers can obtain support through Microsoft Support Services for a fee, but the code is considered user-written by Microsoft support staff.

Authors and Contributors

This guide was produced by the following individuals:

  • Program and Product Management:  Eugenio Pace
  • Subject Matter Experts: Dominic Betts, Dominick Baier, Vittorio Bertocci, Keith Brown, and Matias Woloski
  • Development: Scott Densmore, Federico Boerr and Nicolas Paez
  • Test team: Masashi Narumoto, Rathi Velusamy and RaviShankar Chemudupati
  • Edit team: RoAnn Corbisier, Colin Campbell (Modeled Computation LLC), Roberta Leibovitz (Modeled Computation LLC), Alex Homer, Nancy Mitchell, and Tina Burden
  • Book design and illustrations: John Hubbard (eson), Ellen Forney and Veronica Ruiz
  • Release Management: Richard Burte

We want to thank the customers, partners, and community members who have patiently reviewed our early content and drafts. Among those, we want to highlight the exceptional contributions of Zulfiqar Ahmed, Michele Leroux Bustamante (IDesign), Pablo Mariano Cibraro (Tellago Inc), Hernan DeLahitte (DigitFactory), Pedro Felix, Tim Fischer (Microsoft Germany), Mario Fontana, David Hill, Doug Hiller, Jason Hogg, Ezequiel Jadib (Southworks), Brad Jonas, Seshadri Mani, Marcelo Mas, Vijayavani Nori, Krish Shenoy, Travis Spencer (www.travisspencer.com), Mario Szpuszta (Sr. Architect Advisor, Microsoft Austria), Chris Tavares, Peter M. Thompson, Todd West, Robert Bogue, Jonathan Cisneros, Shy Cohen, David Crawford, Laura Hunter, Chris Keyser, Jason Lee, Alik Levin, Nicolas Paez, Brian Puhl, Paul Schaeflein, Ken St. Cyr, Venky Veeraraghavan, Bill Wilder, Daz Wilkin, Jim Zimmerman, Steve Peschka, and Christian Nielsen.

Finally, we want to thank Stuart Kwan and Conrad Bayer from the Identity Division at Microsoft for their support throughout, and everyone who participated in our CodePlex community site.

Related Titles


Next | Home