access control. The process of making authorization decisions for a given resource.
access control rule. A statement that is used to transform one set of claims into another set of claims. An example of an access control rule might be: any subject that possesses the claim "Role=Contributor" should also have the claim "CanAddDocuments=True". Each access control system will have its own rule syntax and method for applying rules to input claims.
access control system (ACS). The aspect of a software system responsible for authorization decisions.
account management. The process of maintaining user identities.
ActAs. A delegation role that allows a third party to perform operations on behalf of a subject via impersonation.
active client. A claims-based application component that makes calls directly to the claims provider. Compare with passive client.
Active Directory Federation Services (ADFS). An issuer that is a component of the Microsoft® Windows® operating system. It issues and transforms claims, enables federations, and manages user access.
active federation. A technique for accessing a claims provider that does not involve the redirection feature of the HTTP protocol. With active federation, both endpoints of a message exchange are claims-aware. Compare with passive federation.
assertion. Within a closed-domain model of security, a statement about a user that is inherently trusted. Assertions, with inherent trust, may be contrasted with claims, which are only trusted if a trust relationship exists with the issuer of the claim.
authentication. The process of verifying an identity.
authority. The trusted possessor of a private key.
authorization. See authorization decision.
authorization decision. The determination of whether a subject with a given identity can gain access to a given resource.
back-end server. A computing resource that is not exposed to the Internet or that does not interact directly with the user.
blind credential. A trusted fact about a user that does not reveal the identity of the user but is relevant for making an authorization decision. For example, an assertion that the user is over the age of 21 may be used to grant access.
bootstrap token. A security token that is passed to a claims provider as part of a request for identity delegation. This is part of the ActAs delegation scenario.
certificate. A digitally signed statement of identity.
certificate authority. An entity that issues X.509 certificates.
claim. A statement, such as a name, identity, key, group, permission, or capability made by one subject about itself or another subject. Claims are given one or more values and then packaged in security tokens that are distributed by the issuer.
claims model. The vocabulary of claims chosen for a given application. The claims provider and claims-based application must agree on this vocabulary of claims. When developing a claims-based application, you should code to the claims model instead of calling directly into platform-specific security APIs.
claims processing. A software feature that enables a system to act as a claims provider, claims requester, or claims-based application. For example, a security token service provides claims processing as part of its feature set.
claims producer. A claims provider.
claims provider. A software component or service that generates security tokens upon request. Also known as the issuer of a claim.
claims requester. The client of a security token service. An identity selector is a kind of claims requester.
claims transformer. A claims provider that accepts security tokens as input; for example, as a way to implement federated identity or access control.
claims type. A string, typically a URI, that identifies the kind of claim. All claims have a claims type and a value. Example claims types include FirstName, Role, and the private personal identifier (PPID). The claims type provides context for the claim value.
claims value. The value of the statement in the claim being made. For example, if the claims type is FirstName, a value might be Matt.
claims-based application. A software application that uses claims as the basis of identity and access control. This is in contrast to applications that directly invoke platform-specific security APIs.
claims-based identity. A set of claims from a trusted issuer that denotes user characteristics such as the user's legal name or email address. In an application that uses the Windows Identity Foundation (WIF), claims-based identity is represented by run-time objects that implement the IClaimsIdentity interface.
claims-based identity model. A way to write applications so that the establishment of user identity is external to the application itself. The environment provides all required user information in a secure manner.
client. An application component that invokes web services or issues HTTP requests on behalf of a local user.
cloud. A dynamically scalable environment such as Microsoft Azure™ for hosting Internet applications.
cloud application. A software system that is designed to run in the cloud.
cloud provider. An application hosting service.
cloud service. A web service that is exposed by a cloud application.
credentials. Data elements used to establish identity or permission, often consisting of a user name and password.
credential provisioning. The process of establishing user identities, such as user names and initial passwords, for an application.
cryptography. The practice of obfuscating data, typically via the use of mathematical algorithms that make reading data dependent on knowledge of a key.
digital signature. The output of a cryptographic algorithm that provides evidence that the message's originator is authentic and that the message content has not been modified in transit.
domain. Area of control. Domains are often hierarchically structured.
domain controller. A centralized issuer of security tokens for an enterprise directory.
DPAPI. The Data Protection API (DPAPI) is a password-based data protection service that uses the Triple-DES cryptographic algorithm to provide operating system-level data protection services to user and system processes via a pair of function calls.
enterprise directory. A centralized database of user accounts for a domain. For example, the Microsoft Active Directory® Domain Service allows organizations to maintain an enterprise directory.
enterprise identity backbone. The chosen mechanism for providing identity and access control within an organization; for example, by running Active Directory Federation Services (ADFS).
federated identity. A mechanism for authenticating a system's users based on trust relationships that distribute the responsibility for authentication to a claims provider that is outside of the current security realm.
federatedAuthentication attribute. An XML attribute used in a Web.config file to indicate that the application being configured is a claims-based application.
federation provider. A type of identity provider that provides single sign-on functionality between an organization and other identity providers (issuers) and relying parties (applications).
federation provider security token service (FP-STS). A software component or service that is used by a federation provider to accept tokens from a federation partner and then generate claims and security tokens on the contents of the incoming security token into a format consumable by the relying party (application). A security token service that receives security tokens from a trusted federation partner or identity provider (IdP-STS). In turn, the relying party (RP-STS) issues new security tokens to be consumed by a local relying party application.
FedUtil. The utility provided by Windows Identity Foundation for the purpose of establishing federation.
forest. A collection of domains governed by a central authority. Active Directory Federation Services (ADFS) can be used to combine two Active Directory forests in a single domain of trust.
forward chaining logic. An algorithm used by access control systems that determines permissions based on the application of transitive rules such as group membership or roles. For example, using forward chaining logic, an access control system can deduce that user X has permission Z whenever user X has role Y and role Y implies permission Z.
home realm discovery. The process of determining a user's issuer.
identity. In this book, this refers to claims-based identity. There are other meanings of the word "identity," so we will further qualify the term when we intend to convey an alternate meaning.
identity delegation. Enabling a third party to act on one's behalf.
identity model. The organizing principles used to establish the identity of an application's user. See claims-based identity model.
identity provider (IdP). An organization issuing claims in security tokens. For example, a credit card provider organization might issue a claim in a security token that enables payment if the application requires that information to complete an authorized transaction.
identity security token service (I-STS). An identity provider.
information card. A visual representation of an identity with associated metadata that may be selected by a user in response to an authentication request.
input claims. The claims given to a claims transformer such as an access control system.
issuer. The claims provider for a security token; that is, the entity that possesses the private key used to sign a given security token. In the IClaimsIdentity interface, the Issuer property returns the claims provider of the associated security token. The term may be used more generally to mean the issuing authority of a Kerberos ticket or X.509 certificate, but this second use is always made clear in the text.
issuer name registry. A list of URIs of trusted issuers. You can implement a class derived from the abstract class IssuerNameRegistry (this is part of the Windows Identity Foundation) in order to pick an issuer-naming scheme and also implement custom issuer validation logic.
issuing authority. Claims provider; the issuer of a security token. (The term has other meanings that will always be made clear with further qualification in the text.)
Kerberos. The protocol used by Active Directory domain controllers to allow authentication in a networked environment.
Kerberos ticket. An authenticating token used by systems that implement the Kerberos protocol, such as domain controllers.
key. A data element, typically a number or a string, that is used by a cryptographic algorithm when encrypting plain text or decrypting cipher text.
key distribution center (KDC). In the Kerberos protocol, a key distribution center is the issuer of security tickets.
Lightweight Directory Access Protocol (LDAP). A TCP/IP protocol for querying directory services in order to find other email users on the Internet or corporate intranet.
Local Security Authority (LSA). A component of the Windows operating system that applications can use to authenticate and log users on to the local system.
Local Security Authority Subsystem Service (LSASS). A component of the Windows operating system that enforces security policy.
managed information card. An information card provided by an external identity provider. By using managed cards, identity information is stored with an identity provider, which is not the case with self-issued cards.
management APIs. Programmable interface for configuration or maintenance of a data set. Compare with portal.
moniker. An alias used consistently by a user in multiple sessions of an application. A user with a moniker often remains anonymous.
multiple forests. A domain model that is not hierarchically structured.
multi-tenant architecture. A cloud-based application designed for running in multiple data centers, usually for the purpose of geographical distribution or fault tolerance.
on-premises computing. Software systems that run on hardware and network infrastructure owned and managed by the same enterprise that owns the system being run.
output claims. The claims produced by a claims transformer such as an output control system.
passive client. A web browser that interacts with a claims-based application running on an HTTP server.
passive federation. A technique for accessing a claims provider that involves the redirection feature of the HTTP protocol. Compare with active federation.
perimeter network. A network that acts as a buffer between an internal corporate network and the Internet.
permission. The positive outcome of an authorization decision. Permissions are sometimes encoded as claims.
personalization. A variant of access control that causes the application's logic to change in the presence of particular claims. Security trimming is a kind of personalization.
policy. A statement of addresses, bindings, and contracts structured in accordance with the WS-Policy specification. It includes a list of claim types that the claims-based application needs in order to execute.
portal. Web interface that allows viewing and/or modifying data stored in a back-end server.
principal. A run-time object that represents a subject. Claims-based applications that use the Windows Identity Foundation expose principals using the IClaimsPrincipal interface.
private key. In public key cryptography, the key that is not published. Possession of the correct private key is considered to be sufficient proof of identity.
privilege. A permission to do something such as access an application or a resource.
proof key. A cryptographic token that prevents security tokens from being used by anyone other than the original subject.
public key. In public key cryptography, the key that is published. Possession of a user's public key allows the recipient of a message sent by the user to validate the message's digital signature against the contents of the message. It also allows a sender to encrypt a message so that only the possessor of the private key can decrypt the message.
public key cryptography. A class of cryptographic algorithms that use one key to encrypt data and another key to decrypt this data.
public key infrastructure (PKI). Conventions for applying public key cryptography.
realm. A security realm.
relying party (RP). An application that relies on security tokens and claims issued by an identity provider.
relying party security token service (RP-STS). See federation provider security token service.
resource. A capability of a software system or an element of data contained by that system; an entity such as a file, application, or service that is accessed via a computer network.
resource security token service (R-STS). A claims transformer.
REST protocols. Data formats and message patterns for representational state transfer (REST), which abstracts a distributed architecture into resources named by URIs connected by interfaces that do not maintain connection state.
role. An element of identity that may justify the granting of permission. For example, a claim that "role is administrator" might imply access to all resources. The concept of role is often used by access control systems based on the role-based access control (RBAC) model as a convenient way of grouping users with similar access needs.
role-based access control (RBAC). An established authorization model based on users, roles, and permissions.
SAML 2.0. A data format used for encoding security tokens that contain claims. Also, a protocol that uses claims in SAML format. See Security Assertion Markup Language (SAML).
scope. In Microsoft Access Control Services, a container of access control rules for a given application.
Security Assertion Markup Language (SAML). A data format used for encoding security tokens that contain claims. Also, a particular protocol that uses claims in SAML format.
security attribute. A fact that is known about a user because it resides in the enterprise directory (thus, it is implicitly trusted). Note that with claims-based identity, claims are used instead of security attributes.
security context. A Microsoft .NET Framework concept that corresponds to the IPrincipal interface. Every .NET Framework application runs in a particular security context.
security infrastructure. A general term for the hardware and software combination that implements authentication, authorization, and privacy.
security policy. Rules that determine whether a claims provider will issue security tokens.
security token. An on-the-wire representation of claims that has been cryptographically signed by the issuer of the claims, providing strong proof to any relying party of the integrity of the claims and the identity of the issuer.
security token service (STS). A claims provider implemented as a web service that issues security tokens. Active Directory Federation Services (ADFS) is an example of a security token service. Also known as an issuer. A web service that issues claims and packages them in encrypted security tokens (see WS-Security and WS-Trust).
security trimming. (informal) The process of altering an application's behavior based on a subject's available permissions.
service. A web service that adheres to the SOAP standard.
service provider. A service provider is an application. The term is commonly used with the Security Assertion Markup Language (SAML).
session key. A private cryptographic key shared by both ends of a communications channel for the duration of the communications session. The session key is negotiated at the beginning of the communication session.
SOAP. A web standard (protocol) that governs the format of messages used by web services.
social identity provider (social IdP). A term used in this book to refer to identity services offered by well-known web service providers such as Windows Live®, Facebook, Google, and Yahoo!
software as a service (SaaS). A software licensing method in which users license software on demand for limited periods of time rather than purchasing a license for perpetual use. The software vendor often provides the execution environment as, for example, a cloud-based application running as a web service.
subject. A person. In some cases, business organizations or software components are considered to be subjects. Subjects are represented as principals in a software system. All claims implicitly speak of a particular subject. The Windows Identity Foundation type, IClaimsPrincipal, represents the subject of a claim.
System.IdentityModel.dll. A component of the .NET Framework 3.0 that includes some claims-based features, such as the Claim and ClaimSet classes.
token. A data element or message.
trust. The acceptance of another party as being authoritative over some domain or realm.
trust relationship. The condition of having established trust.
trusted issuer. A claims provider for which trust has been established via the WS-Trust protocol.
user credentials. A set of identifying information belonging to a user. An example is a user name and password.
web identity. Authenticated identifying characteristics of the sender of an HTTP request. Often, this is an authenticated email address.
web single sign-on (web SSO). A process that enables partnering organizations to exchange user authentication and authorization data. By using web SSO, users in partner organizations can transition between secure web domains without having to present credentials at each domain boundary.
Windows Communication Foundation (WCF). A component of the Windows operating system that enables web services.
Windows identity. User information maintained by Active Directory.
Windows Identity Foundation (WIF). A .NET Framework library that enables applications to use claims-based identity and access control.
WS-Federation. A standard that defines mechanisms that are used to enable identity, attribute, authentication, and authorization federation across different trust realms. This standard includes an interoperable use of HTTP redirection in order to request security tokens.
WS-Federation Authentication Module (FAM). A component of the Windows Identity Foundation that performs claims processing.
WS-Federation Passive Requestor Profile. Describes how the cross-trust realm identity, authentication, and authorization federation mechanisms defined in WS-Federation can be used by passive requesters such as web browsers to provide identity services. Passive requesters of this profile are limited to the HTTP protocol.
WS-Policy. A web standard that specifies how web services may advertise their capabilities and requirements to potential clients.
WS-Security. A standard that consists of a set of protocols designed to help secure web service communication using SOAP.
WS-Trust. A standard that takes advantage of WS-Security to provide web services with methods to build and verify trust relationships.
X.509. A standard format for certificates.
X.509 certificate. A digitally signed statement that includes the issuing authority's public key.