WCF and Identity in .NET 4.5: Accessing Claims

To test the scenarios I described here, I use a simple service that echoes the user’s claims back to the client.

I use the new ClaimsPrincipal.Current which is the preferred way to access to the client’s identity. This gives you the (by default) the claims principal on Thread.CurrentPrincipal.

From there I access the claims from the Claims property on ClaimsPrincipal – this gives you one claims collection over all contained identities (typically only one – but an abstracted programming model).

[ServiceBehavior(Name = “ClaimsService”, Namespace = “urn:tt”)]

public class ClaimsService : IClaimsService


    public Identity GetIdentity()




        var principal = ClaimsPrincipal.Current;


        var id = new Identity


            PrincipalType = principal.GetType().FullName,

            IdentityType = principal.Identity.GetType().FullName,


            Claims = new List<ClaimDto>(

                from claim in principal.Claims

                select new ClaimDto


                    Type = claim.Type,

                    Value = claim.Value,

                    Issuer = claim.Issuer,

                    OriginalIssuer = claim.OriginalIssuer,




        return id;



This entry was posted in IdentityModel, WCF. Bookmark the permalink.

10 Responses to WCF and Identity in .NET 4.5: Accessing Claims

  1. Pingback: WCF and Identity in .NET 4.5: Windows Authentication | www.leastprivilege.com

  2. Pingback: WCF and Identity in .NET 4.5: UserName/Password Authentication | www.leastprivilege.com

  3. Pingback: WCF and Identity in .NET 4.5: Client Certificate Authentication | www.leastprivilege.com

  4. A little note:
    Authentication done from Azure, of the following 3 lines:
    var principal = ClaimsPrincipal.Current;
    var claims1 = ((ClaimsIdentity)principal.Identity).Claims.ToList();
    var claims = principal.Claims.Select(c => new Claim(c.Type, c.Value)).ToList();
    the last one will throw an exception: +
    $exception {“Value cannot be null.\r\nParameter name: username”} System.Exception {System.ArgumentNullException}

  5. What do you want to tell me?

  6. Eric says:

    Hi Dominick, I have a doubt…
    In my domain, an user can belong to more than one role. When the claims transformation logic takes place, I’d like to have all those user roles in the resulting claims, but due to the fact that the Claim class constructor takes two strings as arguments, I’ve not been able to deal with a list of roles instead of just one, so something like new Claim(ClaimTypes.Role, currentUser.Role) doesn’t fit my needs, I’d need something like new Claim(ClaimTypes.Role, currentUser.Roles.ToList()), but obviously I can’t do that.
    Is there any way or workaround to accomplish that??

  7. You create one claim per role.

  8. Eric says:

    Great!! Thanks…
    One last thing. I’m developing this project using the DDD approach. How do I take advantage of the ClaimsPrincipalPermission attribute in the generic repository if the type is generic and during compilation time I don’t have access to it (the Resource)???

  9. Sorry that’s too complicated for me ;) I don’t know. When you figure it out, tell me.

  10. Pingback: WCF and Identity in .NET 4.5: External Authentication with WS-Trust | www.leastprivilege.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s