One of the things that Zermatt was lacking was a uniform way to look at incoming claims (either from an STS or from auto-converted authentication information).
In Geneva we now have a piece of plumbing called the ClaimsAuthenticationManager which gets called on the first request when a token comes into your application. This gives you a chance to reject or add claims as well as create a completely different claims principal (aka claims transformation). These new claims go into the session token and subsequent requests will bypass that logic.
A simple claims authentication manager could look like this:
class ClaimsTransformer : ClaimsAuthenticationManager
{
public override IClaimsPrincipal Authenticate(
string endpointUri, IClaimsPrincipal incomingPrincipal)
{
return GetClaims(incomingPrincipal.Identity.Name,
incomingPrincipal.Identity.AuthenticationType);
}
private IClaimsPrincipal GetClaims(string name, string authenticationType)
{
ClaimsIdentity id = new ClaimsIdentity(new List<Claim>
{
new Claim(WSIdentityConstants.ClaimTypes.Name,
name,
ClaimValueTypes.String,
“LeastPrivilege”),
new Claim(“http://leastprivilege/claims/customClaim”,
“customValue”,
ClaimValueTypes.String,
“LeastPrivilege”)
}, authenticationType);
return new ClaimsPrincipal(id);
}
}
You register the claims auth manager e.g. in config:
<microsoft.identityModel>
<claimsAuthenticationManager type=“LeastPrivilege.ClaimsTransformer, AutoClaims“ />
</microsoft.identityModel>
HTH
leastprivilege.com 