Since every principal is derived from ClaimsPrincipal in .NET 4.5 all the higher level frameworks simply get “claims for free” – including ASP.NET and WCF.

Generally speaking there are two new settings in WCF that you care about when you want to work with (claims-based) identity.

UseIdentityConfiguration
WCF in 4.5 can operate in two modes: “classic” and “WIF” (not the official names). In classic modes everything works like in pre-4.5 WCF (besides that the principals and identities derive from the claims base classes).

In “WIF” mode, the security token handler pipeline we know (and love) from WIF is used – this also includes things like ClaimsAuthenticationManager and ClaimsAuthorizationManager. This is equivalent to calling FederatedServiceCredentials.ConfigureServiceHost() in WIF.

You choose between the two modes by setting the UseIdentityConfiguration property on the ServiceCredentials behavior. This tells WCF to get its token handling configuration from the <system.identityModel> configuration section. Internally this replaces the standard ServiceCredentials with FederatedServiceCredentials (like in WIF).

PrincipalPermissionMode
WCF’ usage of IPrincipal and Thread.CurrentPrincipal was always weird (and just wrong as it turns out) to start with. Without going into details – there is a new principal permission mode called Always. It is called always – because you should always use it ;)

What Always does is, it always sets Thread.CurrentPrincipal to the client’s claims-based identity.

In the next posts I will go through some common (and sensible) scenarios for WCF and show how you deal with identity.