Introducing Microsoft code name Zermatt

Zermatt is a set of .NET Framework classes. It is a framework for implementing claims-based identity in your applications.

When you build claims-aware applications, the user presents an identity to your application as a set of claims. One claim could be the user’s name, another might be an e-mail address. The idea here is that an external identity system is configured to give your application everything it needs to know about the user with each request she makes, along with cryptographic assurance that the identity data you receive comes from a trusted source.

Object Model

Microsoft.IdentityModel namespace (included in Zermatt) extends the classical .NET model, based on the IPrincipal and IIdentity interfaces, by creating two specialized interfaces: IClaimsPrincipal and IClaimsIdentity:

IClaimsPrincipal

In the claims model multiple users or claims-based identities can be party to a single action. The IClaimsPrincipal interface defines the data and behavior of the identities associated with an execution context.

IClaimsPrincipal exposes a collection of identities, each of which implements IClaimsIdentity. In a common case, there will be a single issuer and a single token and the identities collection will only have one element. However, it’s possible in advanced scenarios for a relying party to ask (via policy) for more than one security token, potentially from different issuers.

IClaimsIdentity

This interface defines the basic functionality of a ClaimsIdentity object. It is recommended that this interface be used to access the methods and properties of ClaimsIdentity instead of using ClaimsIdentity directly.

All ClaimsIdentity objects implement the IClaimsIdentity interface.

IClaimsIdentity extends IIdentity and when you look at a user’s identity, you can get her name the same way you always have. In addition, you can look at IClaimsIdentity.Claims to get more information pertaining of the user’s identity, like her email address.

Claim

A Claim describes a property of a subject as observed by or attested to by an issuer. Examples include group or role membership, or age and geographic references. A claim can be evaluated to determine access rights to data and other secured resources during the process of authorization.

Claim.ClaimType is a string (typically a URI) that tells you what the value of the claim means. For example, a claim with a ClaimType of “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname” represents a user’s first name.

Once you know the type of the claim, you can read its value from Claim.Value and with Claim.ValueType you can deserialize the value of the claim getting the format of the value.

ClaimsPrincipal

ClaimsPrincipal has the static Current property that is the IClaimsPrincipal associated with the current context.

Helpful links

· Microsoft Code Name Zermatt Setup Package

· Microsoft Code Name “Zermatt” white paper for developers by Keith Brown

· Vittorio Bertocci’s blog

· Kim Cameron’s Identity Blog

· Pedro Felix’s blog

In the following posts, I’ll try to show some samples about how to implement Zermatt in our applications and services.

Tags: Identity, Zermatt