ClaimsAuthenticationManager in Geneva

One of the things that Zermatt was lacking was a uniform way to look at incoming claims (either from an STS or from auto-converted authentication information).

In Geneva we now have a piece of plumbing called the ClaimsAuthenticationManager which gets called on the first request when a token comes into your application. This gives you a chance to reject or add claims as well as create a completely different claims principal (aka claims transformation). These new claims go into the session token and subsequent requests will bypass that logic.

A simple claims authentication manager could look like this:

class ClaimsTransformer : ClaimsAuthenticationManager
    public override IClaimsPrincipal Authenticate(
      string endpointUri, IClaimsPrincipal incomingPrincipal)
        return GetClaims(incomingPrincipal.Identity.Name,

    private IClaimsPrincipal GetClaims(string name, string authenticationType)
        ClaimsIdentity id = new ClaimsIdentity(new List<Claim>
            new Claim(WSIdentityConstants.ClaimTypes.Name,
            new Claim(http://leastprivilege/claims/customClaim&#8221;,
        }, authenticationType);

        return new ClaimsPrincipal(id);

You register the claims auth manager e.g. in config:

claimsAuthenticationManager type=LeastPrivilege.ClaimsTransformer, AutoClaims />


This entry was posted in ASP.NET, IdentityModel, WCF. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s