Updated: July 14, 2020 (February 10, 2014)

  Sidebar

Claims-Based Identity and Access Control

My Atlas / Sidebar

580 wordsTime to read: 3 min
Wes Miller by
Wes Miller

Wes Miller analyzes and writes about Microsoft’s security, identity management, and systems management technologies. Before joining Directions on Microsoft, Wes... more

To control access by employees to internal applications, an organization can rely on Windows- or Kerberos-based authentication and Active Directory Domain Services (AD). However, controlling access to Web-facing or line-of-business applications consumed by users who do not have accounts in the organization’s directory or are unknown to the organization can be more difficult. To better address both of these identity and access control scenarios, Microsoft has moved toward claims-based identity and access control.

A claim is a statement about a user or security principal, such as the user’s name, group membership, or access privileges, made by a trusted organization, called an identity provider. A group of claims about a user are packaged together as a security token.

When an identity provider makes a claim for a user, it is vouching for the user. By issuing the security token, the provider is saying it has validated the user and the claims it is making about the user.

Identity providers use a security token service, such as Active Directory Federation Services, to create and issue security tokens. These security token services can accept tokens from multiple identity providers and merge the various claims from the different providers into a single token for the user.

Atlas Members have full access

Get access to this and thousands of other unbiased analyses, roadmaps, decision kits, infographics, reference guides, and more, all included with membership. Comprehensive access to the most in-depth and unbiased expertise for Microsoft enterprise decision-making is waiting.

Membership Options

Already have an account? Login Now