Using IdentityModel: Claim Sets

In the previous post I talked about claims, what they are and how to create them. Usually a claim doesn’t come on its own – but is grouped into a claim set.

To create a claim set you either derive from ClaimSet or new up a DefaultClaimSet. Which approach you choose depends on your needs. DefaultClaimSet provides a default implementation of a claim set whereas deriving from Claim allows doing your own internal data management (a little bit like deriving from GenericIdentity opposed to implementing the IIdentity interface manually). I used the Claim-derived approach in LeastPrivilege.IdentityModel e.g. to implement a claim set that does lazy loading of claims.

Regardless which approach you choose, a claim set always consists of two parts: a list of claims and an issuer.

The list of claims should contain a single identity claim – this acts as the identity of the claim set. Optionally there can be a number of possess property claims.

The issuer is also described using a claim set. The typical layout of an issuer claim set is a single identity claim that uses the System claim type ( and the same claim as a possess property. The value of these claims is up to the issuer.

System.IdentityModel provides two pre-defined issuer claim sets (available as static properties from the ClaimSet class):

  • ClaimSet.System
    Has a System claim type with a value of ‘System’ (identity and possess property).
    Used to describe claim sets that come from the ‘System’.
  • ClaimSet.Windows
    Has a system claim types with a value of S-1-5 (identity and possess property).
    Used as an issuer for WindowsClaimSets.

If a claim set’s issuer points to itself, you have reached the chain root (use ReferenceEquals to check this).

Typically you use these public methods from ClaimSet:

  • ContainsClaim
    Returns true/false if a specified claim can be found in the claim set
  • FindClaims
    Returns an IEnumerable<Claim> for all matches of a specifed claim type/right

LeastPrivilege.IdentityModel adds two extension methods to ClaimSet:

  • FindIdentityClaim
    Returns the identity claim of the claim set
  • HasIssuer
    Tells you if the claim set has an issuer


So much for the facts. In the next posts I will talk about where claim sets come from, what are typical operations you do on claim sets and how you use them for authorization.

This entry was posted in IdentityModel. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s