Reputation: 2933
Windows Identity Foundation with Claims based Authentication and Multiple Roles
We are implementing a Secure Token Service (STS) which uses Windows Identity Foundation to provide Claims based authentication and authorisation.
My question is really about best practices and how we should handle multiple roles for a given identity.
When creating claims for a user after they have successfully logged in, we need to be able to add the roles that the user is a member of to the claims before returning to the Relying Party.
The Claim object does not accept a collection of strings so I'm wondering how this should be done. I can think of two ways:
- I can add multiple Claims of type ClaimTypes.Role with different values and these can be read on the other side (I have tested and this seems to work without any errors)
- I could also put the roles into a single claim and delimit them by ; or something like that.
My question is really about which of the above is better, or am I missing something better? Neither solution is perfect as it will require parsing on the other side.
Thanks, John
Upvotes: 0
Views: 941
Answers (1)
Reputation: 46773
If you use ADFS as the STS, it inserts multiple roles into the claim
e.g.
- ...claims/role Editor
- ...claims/role Approver
etc.
The advantage of this is that WIF can then use the standard IsInRole constructs etc.
Upvotes: 2
Related Questions
- Integrated Claims Based Authorization with Windows Identity Foundation
- Simple claims transformation and caching w/ windows authentication
- Windows Identity Foundation
- Add Multiple Identities in ClaimsPrincipal
- Role based claims in Identity Server 3 + AspNet Identity
- .NET 4.5 Claims Identity Model
- How to add roles to Windows Identity Foundation (WIF) claim
- Implementing an Identity Provider
- Windows Identity Foundation and multiple user stores
- WIF Claims-based Identity for Legacy Login