Understanding Claims-Based Identity
Authentication is the process of confirming the identity of a user. Authentication validates that the user is who he or she claims to be. Claims-based identity is an approach to authentication.
Prior to claims-based identity, each application that needed to check the identity of the user had its own method for validating the identity of users and its own user account database. This approach was limiting because it was difficult to integrate multiple identity technologies to support users who access the Web application or service in different ways, such as within the organization (Windows-based authentication), from a different organization (identity federation), and the Internet (forms-based authentication).
With claims-based identity, the authentication provider or issuing authority (the Web service that validates the identity of the user) and the Web application or service being accessed by the user are separate entities. The authentication provider validates the identity of the user and issues information (claims), such as name, email address, group membership, in a digitally signed, secure token to describe the user. These digitally signed, secure tokens are created by the security token service (STS) for the issuing authority. When a user provides a digitally signed, secure token with his or her request to a Web application, the Web application knows that the user is authenticated because the secure token comes from an issuing authority it trusts.
While authentication answers the question "Are you who you say you are?", authorization answers the question "Now that I know who you are, what are you allowed to do?"
When the Web application or Web service receives a request accompanied with the secure token containing the claims about the authenticated user and his or her roles and permissions, the claims-aware Web application or service makes identity-related decisions, such as providing access to features, services, or data, based on the claims received about the user.
Implementing claims-based identity requires an understanding of how users are recognized and how identity flows in Microsoft Commerce Server 2009 R2. It is also important to know how the Microsoft SharePoint 2010 STS uses the Commerce Membership Provider to authenticate users and the Commerce Claims Provider to assign the authorization rights in a SharePoint 2010 deployment. For your application, apply authorization to all operations for which you want to restrict the actions of the caller. When you are ready to securely deploy your e-commerce solution, follow the steps for a secure deployment to configure authentication. See Deployment for guidance on how to deploy Commerce Server 2009 R2 solution.
For more information about general concepts of claims-based security, see A Guide to Claims-Based Identity and Access https://go.microsoft.com/fwlink/?LinkId=212554