Tuesday, January 06, 2009

RIP: Claim.Right killed by SAML

In several of my WCF projects we've used System.IdentityModel claims to express the permissions of a user to do authorization. A claim used to be a triplet: a resource type, the specific resource and an associated right. The right is typically just a fact about the resource such as "Rights.Identity", but it could also be an ACL-style permission for the resource instance.

In the new Microsoft.IdentityModel provided by Geneva (prerelease), the Claim.Right property is gone. At the same time, Geneva "simplifies" the use of claims to adhere to the classic .NET permission principal authorization model. To me this seems like a step back to Boolean role-based security: bool IsInRole(resource) / bool PermissionDemand(resource); losing some of the benefits that a richer claims-based security model promised through more expressive claimsets. Without the 'right' aspect of a claim, it is hard to express resource instance claims using Geneva claimsets.

Alas, SAML attributes only supports the "PossessProperty" right, so I guess that Geneva supporting SAML 1.1 and 2.0 is what killed Claim.Right.

No comments: