In the previous post I talked about claims, what they are and how to create them. Usually a claim doesn’t come on its own – but is grouped into a claim set.
To create a claim set you either derive from ClaimSet or new up a DefaultClaimSet. Which approach you choose depends on your needs. DefaultClaimSet provides a default implementation of a claim set whereas deriving from Claim allows doing your own internal data management (a little bit like deriving from GenericIdentity opposed to implementing the IIdentity interface manually). I used the Claim-derived approach in LeastPrivilege.IdentityModel e.g. to implement a claim set that does lazy loading of claims.
Regardless which approach you choose, a claim set always consists of two parts: a list of claims and an issuer.
The list of claims should contain a single identity claim – this acts as the identity of the claim set. Optionally there can be a number of possess property claims.
The issuer is also described using a claim set. The typical layout of an issuer claim set is a single identity claim that uses the System claim type (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/system) and the same claim as a possess property. The value of these claims is up to the issuer.
System.IdentityModel provides two pre-defined issuer claim sets (available as static properties from the ClaimSet class):
Has a System claim type with a value of ‘System’ (identity and possess property).
Used to describe claim sets that come from the ‘System’.
Has a system claim types with a value of S-1-5 (identity and possess property).
Used as an issuer for WindowsClaimSets.
If a claim set’s issuer points to itself, you have reached the chain root (use ReferenceEquals to check this).
Typically you use these public methods from ClaimSet:
Returns true/false if a specified claim can be found in the claim set
Returns an IEnumerable<Claim> for all matches of a specifed claim type/right
LeastPrivilege.IdentityModel adds two extension methods to ClaimSet:
Returns the identity claim of the claim set
Tells you if the claim set has an issuer
So much for the facts. In the next posts I will talk about where claim sets come from, what are typical operations you do on claim sets and how you use them for authorization.