Claims-Based Identity and Access Control

To control access by employees to internal applications, an organization can rely on Windows- or Kerberos-based authentication and Active Directory Domain Services (AD). However, controlling access to Web-facing or line-of-business applications consumed by users who do not have accounts in the organization’s directory or are unknown to the organization can be more difficult. To better address both of these identity and access control scenarios, Microsoft has moved toward claims-based identity and access control.

A claim is a statement about a user or security principal, such as the user’s name, group membership, or access privileges, made by a trusted organization, called an identity provider. A group of claims about a user are packaged together as a security token.

When an identity provider makes a claim for a user, it is vouching for the user. By issuing the security token, the provider is saying it has validated the user and the claims it is making about the user.

Identity providers use a security token service, such as Active Directory Federation Services, to create and issue security tokens. These security token services can accept tokens from multiple identity providers and merge the various claims from the different providers into a single token for the user.