Using IdentityModel: Claims Transformation in WCF

Posted on March 4, 2008 by Dominick Baier

In the previous post I talked about claims transformation. Two authorization policies are necessary for the scenario I described. The first one maps the “technical” identity to an application identity and the second one creates application specific claims based on the application identity.

Mapping the identity
The first authorization policy grabs the first identity claim from the evaluation context and passes that to some mapping logic (omitted):

class CustomerIdAuthorizationPolicy : IAuthorizationPolicy
{
    public bool Evaluate(EvaluationContext evaluationContext, ref object state)
    {
        string userId;
        Claim id = evaluationContext.ClaimSets.FindIdentityClaim();

        userId = Map(id);
        evaluationContext.AddClaimSet(this, new CustomerIdClaimSet(userId));
       
        return true;
    }

    public ClaimSet Issuer
    {
        get { return ClaimSet.System; }
    }

    public string Id
    {
        get { return “CustomerIdAuthorizationPolicy”; }
    }
}

The mapping logic then checks the claim type and returns the user id from some data store.

Adding the customer claims
The second policy then checks for the customer id claim and adds the necessary information to the evaluation context:

class CustomerAuthorizationPolicy : IAuthorizationPolicy
{
    public bool Evaluate(EvaluationContext evaluationContext, ref object state)
    {
        string userId = evaluationContext.ClaimSets.FindClaim(
            Constants.CustomerIdClaimType,
            Constants.ApplicationIssuerIdentityClaim).Get<string>();

        evaluationContext.AddClaimSet(this, new CustomerClaimSet(userId));
        return true;
    }

    public ClaimSet Issuer
    {
        get { return ClaimSet.System; }
    }

    public string Id
    {
        get { return “CustomerAuthorizationPolicy”; }
    }
}

 

The last step is to to add the policies to the serviceAuthorization behavior in the right order:

<serviceAuthorization>
  <authorizationPolicies>
    <add policyType=LeastPrivilege.CustomerIdAuthorizationPolicy, Service />
    <add policyType=LeastPrivilege.CustomerAuthorizationPolicy, Service />
  </authorizationPolicies>
</serviceAuthorization>

 

In the next post I will show you how to accomplish the same thing outside of WCF.

This entry was posted in IdentityModel, WCF. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s