Sunday, May 04, 2008

On Tokens, Claims, Tickets, SAML

There always seems to be a lot of confusion about tokens, tickets, and claims; which in combination with the very broad term security (authN, authZ, confidentiality, integrity, auditing, devices, data, etc) make every discussion about "security" a bit obscure.

A simple explanation of tokens and claims: a Security Token is a signed and encrypted set of Claims. A claim is just some right on a specific resource of a given resource type that the token holder claims to have. To accept this claim, you need to trust the token issuer. The typical example of a claim is the user's identity (the claim), which e.g. can be the domain login name (the resource) asserted by Windows (the issuer).

The terms Security Token and Claim are used in the WS-Trust standard. Kerberos use the term ticket instead of token, i.e. the ticket proves the identity of the user. A SAML token is another type of security token.

Watch the Channel9 video where Vittorio Bertocci explains WS-Trust and the token encryption and signing mechanism in depth, using a claim set based on a driver license resource. Note that only video download seems to work.

In addition, read the post series by Sam Gentile about SAML, which expands into claims-based security and WS-Trust / WS-Federation.


Anonymous said...

Hi Kjell,
actually a claim is simply a statement made by an authority about a subject. It may represent a right on a resource, but it may also be a simple fact about the subject (es. age, name, address, group membership) whihc does not necessarily translate in a right on a resource.
Cheers :-)


Kjell-Sverre Jerijærvi said...

You're right, I just kept it simple by adhering to the System.IdentityModel Claim type, where even subject facts are treated as resource triplets (right, type urn, resource).