Unique identifying a user after federated Authentication

StackOverflow https://stackoverflow.com/questions/16451220

Question

I have just started experimenting with WIF for a new application I'm writing. So far I have managed to get the LocalSTS working and setup my web.config to enable federated authentication against the LocalSTS. My plan is to use the LocalSTS for now and worry about implementing a custom STS later.

I would like to use the federated authentication to authenticate the user, and once they are authenticated, authorize them to perform various actions internally. so, the STS will authenticate, and the application will authorize internally.

To do this, I will need to store the authorized actions for each user (possibly hundreds of unique actions) in my app database, and read those and cash them once a user starts a new session.

What I am wondering is, how do I map a User that was authenticated using federated authentication to a unique user id that exists in my db, while still keeping the application agnostic to the STS I use (be it ADFS, open auth etc.)?

nameidentifier token seems like a good candidate, but then I read that SAML 2 replaces that with a different token.

Am I approaching this completely the wrong way? am I missing something?

Any help would be greatly appreciated.

Was it helpful?

Solution

Name is a good candidate but email, upn or even a "unique number" are as good. The point is - there is no ultimate candidate.

I think that if your concern is to remain agnostic, you should rather consider defining an sts for the rp as "the address of sts endpoint and a set of claims that are used to match users".

This way sts1 could be defined as "https://sts1.blah" and "username claim" but sts2 would be "https://sts2.blah" and "email".

After few years of experience I see such approach as the only possibility just because different stses offer different claims and there is just no "one claim which is guaranteed to occur always".

Having said that, most of the times we assume that any sts would return at least username OR email and the rp can trust this. This simplifies the matching of users at the rp side.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top