Applies To: Active Directory Federation Services (AD FS) 2.0
In the context of digital identities, claims are statements that one subject (a person, organization, or thing) makes about itself or another subject. For example, claims can be made about the name, age, role, or other characteristics of a person. These claims can be made by a person directly or provided to others by a third party. Other parties can rely on the values of the claims to perform a process of digital identification.
Working with claims
At its most basic level, Active Directory Federation Services (AD FS) 2.0 works with claims and uses its Federation Service in the following ways:
When a Federation Service is configured in the claims provider role, it serves as a claims producer—authenticating users and issuing outgoing claims on their behalf. In this role, the Federation Service can retrieve claims data from an attribute store and then send that information back in the form of tokens.
When a Federation Service is configured in the relying party role, it can also serve as a claims consumer—processing and trusting the incoming tokens that other claims providers pass to it. While relying parties can often simply be applications that are claims aware and that are able to process these tokens, in this role, AD FS 2.0 also supports federated identity scenarios in which a relying party validates or handles claims that another claims provider issues. More precisely, a Federation Service in the relying party role looks at and validates claims that some other Federation Service asserts and, upon successful validation, it either reaffirms those claims to its relying parties or it asserts additional or even different claims in the token that it issues.
Benefits of claims-aware identity
Makes it possible for developers of private or internal applications within organizations to simplify identity issues they must resolve to meet business requirements. Using a claim-based approach, the developer can incorporate an open, flexible approach to authenticating and verifying users.
Makes it possible for information technology (IT) professionals to extend access privileges to other people outside their organization—either in a trusted partner organization or to users on the Internet)—without incurring the overhead of creating and managing new user accounts for external users or reducing service isolation and the overall security of their deployments.