What is issuer/issuer claim in security manner?

StackOverflow https://stackoverflow.com/questions/21900399

Question

I'm new to security manner and .NET security manner. I see a lot about the claims, and issuer, etc but I feel confused about the definition.

In easy English, what is claim? And what is an issuer/original issuer in claim?

Was it helpful?

Solution

Sometimes it helps to look up the words in a dictionary. A technical term is selected because it in some way is linked to the original meaning of the word. This is obvious to a native English speakers but not always so obvious to non-native English speakers like myself.

Claim is a demand for or an assertion of a right. You can claim payment for a service or claim a property by inheritance.

Within security, claim is a statement about who you are, what you have the right to or what you are capable of (or the statement could be about a user or another subject).

The verb to issue is to publish or give something out. An issuer is an institution that issues something.

Technically an issuer is a service that you authenticate with and in return it will issue security tokens. These tokens contain claims.

To give an example: If I log into a Windows Active Directory the issuer is the active directory. When I have been authenticated with the active directory a security token is issued and within this token there are claims about my user name and what security groups I belong to.

Sometimes an issuer will issue new claims based on existing claims. E.g., if you log in to a web site using your Google account then the web site can issue claims about your identity. Some of these claims could originate from Google (like your e-mail address) and then the original issuer would be Google and not the web site (which is the issuer of the claim).

There are in depth information about this subject in A Guide to Claims-Based Identity and Access Control (2nd Edition) on MSDN.

OTHER TIPS

I think the definition is very well explained here in MSDN:

A claim is a statement about a subject by an issuer. Claims represent attributes of the subject that are useful in the context of authentication and authorization operations. Subjects and issuers are both entities that are part of an identity scenario. Some typical examples of a subject are: a user, an application or service, a device, or a computer. Some typical examples of an issuer are: the operating system, an application. a service, a role provider, an identity provider, or a federation provider. An issuer delivers claims by issuing security tokens, typically through a Security Token Service (STS). (In WIF, you can build an STS by deriving from the SecurityTokenService class.) On occasion, the collection of claims received from an issuer can be extended by subject attributes stored directly at the resource. A claim can be evaluated to determine access rights to data and other secured resources during the process of authorization and can also be used to make or express authentication decisions about a subject.

Also check out IssuerNameRegistry

This conference session is about the claims basics in .NET 4.5

https://vimeo.com/43549130

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top