In the previous post I talked about claims transformation. Two authorization policies are necessary for the scenario I described. The first one maps the “technical” identity to an application identity and the second one creates application specific claims based on the application identity.
Mapping the identity
The first authorization policy grabs the first identity claim from the evaluation context and passes that to some mapping logic (omitted):
class CustomerIdAuthorizationPolicy : IAuthorizationPolicy
{
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
string userId;
Claim id = evaluationContext.ClaimSets.FindIdentityClaim();
userId = Map(id);
evaluationContext.AddClaimSet(this, new CustomerIdClaimSet(userId));
return true;
}
public ClaimSet Issuer
{
get { return ClaimSet.System; }
}
public string Id
{
get { return “CustomerIdAuthorizationPolicy”; }
}
}
The mapping logic then checks the claim type and returns the user id from some data store.
Adding the customer claims
The second policy then checks for the customer id claim and adds the necessary information to the evaluation context:
class CustomerAuthorizationPolicy : IAuthorizationPolicy
{
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
string userId = evaluationContext.ClaimSets.FindClaim(
Constants.CustomerIdClaimType,
Constants.ApplicationIssuerIdentityClaim).Get<string>();
evaluationContext.AddClaimSet(this, new CustomerClaimSet(userId));
return true;
}
public ClaimSet Issuer
{
get { return ClaimSet.System; }
}
public string Id
{
get { return “CustomerAuthorizationPolicy”; }
}
}
The last step is to to add the policies to the serviceAuthorization behavior in the right order:
<serviceAuthorization>
<authorizationPolicies>
<add policyType=“LeastPrivilege.CustomerIdAuthorizationPolicy, Service“ />
<add policyType=“LeastPrivilege.CustomerAuthorizationPolicy, Service“ />
</authorizationPolicies>
</serviceAuthorization>
In the next post I will show you how to accomplish the same thing outside of WCF.