Using IdentityModel: Adding ASP.NET Support Part 1 (Authentication based Claims)

Adding claims support to ASP.NET is a perfect candidate for an HTTP module. As a reminiscence to RoleManager, I called mine ClaimsManager. The job of the claims manager is this:

  • Creating claims based on the technical authentication details (Windows, Forms, client certificates etc.)
  • Invoking external claims transformation policies which then build the app specific claims based on the technical ones
  • Making the AuthorizationContext available to pages (via Thread.CurrentPrincipal/Context.User – see my previous post)

The first step is to write an IAuthorizationPolicy to map the ASP.NET authentication details to claims. This is done by inspecting Context.User.Identity and client certificates – if you use a custom identity, you would amend that code (check my previous posts about authorization policies):

// policy that adds ASP.NET authentication type specific claims
public class AspNetAuthenticationPolicy : IAuthorizationPolicy
    public bool Evaluate(
      EvaluationContext evaluationContext, ref object state)
        HttpContext context = HttpContext.Current;
        List<ClaimSet> claimSets = new List<ClaimSet>();

        // Windows or Forms authentication
        if (context.User.Identity is WindowsIdentity)
              new WindowsClaimSet(context.User.Identity as WindowsIdentity));
        else if (context.User.Identity is FormsIdentity ||
                 context.User.Identity is GenericIdentity)
            claimSets.Add(new UserNameClaimSet(context.User.Identity.Name))

        // client certificate
        if (context.Request.ClientCertificate.IsPresent)
            X509Certificate2 certificate = new X509Certificate2(

            claimSets.Add(new X509CertificateClaimSet(certificate));

        claimSets.ForEach(set => evaluationContext.AddClaimSet(this, set));
        return true;

    public System.IdentityModel.Claims.ClaimSet Issuer
        get { return ClaimSet.System; }

    public string Id


In the next post I will show the HTTP module, how it calls the above policy and how it chains in external policies.

This entry was posted in ASP.NET, IdentityModel. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s