Windows Identity Foundation Simplifies User Access

IdHdrLogo Microsoft Windows Identity Foundation has been released to the Web (RTW).

It helps simplify user access for developers by externalizing user access from applications via claims and reducing development effort with pre-built security logic and integrated .NET tools. Users can benefit through single sign-on and seamless collaboration across organizational boundaries.

At PDC, Microsoft announced that Windows Identity Foundation will be available in Windows Azure. This means that a federated identity can be used to provide a single sign on to multiple applications, both in the enterprise and in the cloud.

This claims-based architecture is more flexible approach to establishing a users' identity, than a straight forward, on-premises Active Directory system. The claims-based architecture can accept digital identifiers from multiple sources, such as LDAP directories, Active Directory, Outlook or Lotus Notes directories, certificates from security services, or a Windows token.

Once a user's identity verifier is supplied, a central brokering authority compares the "claim" to that required by a particular application. If there's a match, use of the application can proceed.

Any company that has, or plans to have, more than one Web application or Web service, can benefit by starting with a claims-based model for identity. One of the major benefits is to have application developers focus only on application business logic while the identity related requirements can be handled by external issuing authorities like Active Directory Federation Services ADFS 2.0 (previously known as “Geneva” Server). Or if you have in-house identity
expertise, you can build a custom provider using WIF.

To get started, see Microsoft Windows Identity Foundation (WIF) Whitepaper for Developers.

Code Sample

The WIF object model for claims may seem a bit complicated at first glance, with subjects, issuers, claim types and values, but in practice it’s easy to use.The following code sample shows a typical example from a claims-aware ASP.NET Web application. This example sends a personalized email to the user when she clicks a button.

protected void SendLetter_Click(object sender, EventArgs e)
    IClaimsIdentity id =

    // you can use a simple foreach loop to find a claim...
    string usersEmail = null;
    foreach (Claim c in id.Claims) {
        if (c.ClaimType == ClaimTypes.Email) {
            usersEmail = c.Value;

    // you can also use LINQ to find a claim
    string usersFirstName = (from c in id.Claims
        where c.ClaimType == ClaimTypes.GivenName
        select c).First().Value;

    StringBuilder body = new StringBuilder();
    body.AppendFormat("Dear {0},", usersFirstName);
    body.AppendLine("Thank you for shopping with us!");
    new SmtpClient().Send(new MailMessage(
        "Message from Fabrikam",

In this example, the code uses Thread.CurrentPrincipal to access the user’s identity. Then it loops through all of the claims for the user, using IClaimsIdentity.Claims, looking for the ones it needs right now: first name and email address. It then uses those claims to send a personalized email message to the user. The example also shows two ways of finding claims. The code finds the email claim with a foreach loop, and uses a LINQ expression to find the first name claim.

Claims Aware Web Site, Web Service

WIF offers built-in Visual Studio project template for creating a claims-aware ASP.NET application or WCF Web Service. Each template is available within the Visual Studio development environment when you navigate to File –> New –> Web Site… and select Claims-aware ASP.NET Web Site or Claims-aware WCF Service.

For more details, see Microsoft Windows Identity Foundation (WIF) Whitepaper for Developers.

Developer Resources

See the following PDC Videos:

Comprehensive Identity, Access Management

Windows Identity Foundation is part of Microsoft's identity and access management solution built on Active Directory that also includes:

  • Active Directory Federation Services 2.0 (formerly known as "Geneva" Server): a security token service for IT that issues and transforms claims and other tokens, manages user access and enables federation and access management for simplified single sign-on
  • Windows CardSpace 2.0 (formerly known as Windows CardSpace "Geneva"): for helping users navigate access decisions and developers to build customer authentication experiences for users.


Bruce D. Kyle
ISV Architect Evangelist | Microsoft Corporation

cid:image010.png@01C9DEED.1FDB2200 cid:image011.png@01C9DEED.1FDB2200 cid:image012.gif@01C9DEED.1FDB2200 channel9

Special thanks to Information Week: Microsoft Azure Supports Federated ID

Add to Technorati Favorites

Bookmark and Share

Comments (0)

Skip to main content