Authorization In Claims Aware Applications – Role Based and Claims Based Access Control

  • Article

I tried to come up with a quick view on available options for implementing authorization in claims aware applications.

This is what I came up with.

An app (ASPNET Web APP, WCF Service) can perform two types of access checks when using claims:

  1. RBAC - IsInRole style – similar to what was done since Net Fx 1.0, and then enhanced by RoleManager since ASPNET 2.
    1. To do so you must have claims of Role type incoming into your app’s context
    2. You could prepare the role type claims at the STS level (ACS, ADSFS, 3rd Party, Custom). Example (step 2): How To: Implement Role Based Access Control (RBAC) in a Claims Aware ASP.NET Application Using WIF and ACS.
    3. You could convert any incoming claim to the role type at the app level, regardless of STS you use, using ClaimsAuthenticationManager. Example (Step 4): How To: Implement Role Based Access Control (RBAC) in a Claims Aware ASP.NET Application Using WIF and ACS. Here you harness the power of WIF extensibility.
    4. In case you migrating app that uses RoleManager – you could implement custom RoleManager and migrate “seamlessly” w/o changing the app. Example: Authorization With RoleManager For Claims Aware (WIF) ASP.NET Web Applications
  2. CBAC – claims based access control – you implement the way you want it. The key here is that WIF enables you to externalize the authorization decisions, so you could even implement it as configuration based policy in your config and more. You use WIF’s ClaimsAuthorizationManager as an extensibility point to externalize authorization checks. Example: How To: Implement Claims Based Access Control (CBAC) in a Claims Aware ASP.NET Application Using WIF and ACS