Using IdentityModel: Windows and X509Certificate Claim Sets

In System.IdentityModel.Claims you can find two more specialized claim sets for Windows accounts and X509 certificates called WindowsClaimSet and X509CertificateClaimSet respectively.

WCF uses these classes to create claim sets for Windows/certificate clients. But you can also use them “standalone”.

The WindowsClaimSet converts the content of a Windows token to a claim set. You new up this class by passing in a WindowsIdentity. You can get one of these via network authentication, via LogonUser, or by calling WindowsIdentity.GetCurrent(). The generated claims are:

  • A SID identity claim containing the token’s account SID (also available as a possess property)
  • SID possess property claims containing the group SIDs
  • Name possess property claim containing the user name

The issuer of this claim set will be always ClaimSet.Windows.


The X509CertificateClaimSet converts some of the attributes of an X509 certificate (and its issuers) to a claim set. Simply pass a X509Certificate2 to the constructor. The generated claims are:

  • A thumbprint claim containing the cert hash as identity and possess property.
  • The subject name as a X500DistinguishedName claim (possess property)
  • The public key of the certificate as an RSA claim (possess property)
  • Various extended name variations (if contained in the certificate). The claim set calls GetNameInfo on the certificate for DnsName, SimpleName, EmailName, UpnName and UrlName to create DNS, Name, Email, UPN and URI claims respectively.

The claim set issuer chain reflects the certificate issuer chain (by calling X509Chain.Build):

  • When the cert is self issued, the issuer will point to itself.
  • When the issuing cert is available, the issuer will be a X509CertificateClaimSet.
  • When the issuing cert is not available, the issuer will be a simple X509DistinguishedNameClaimSet containing the distinguished name of the issuer as identity and possess property.
This entry was posted in IdentityModel. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s