Claims-aware applications

  • Article

Applies To: Windows Server 2003 R2

Claims are statements (for example, name, identity, key, group, privilege, or capability) made about users — and understood by both partners in an Active Directory Federation Services (ADFS) federation — that are used for authorization purposes in an application. A claims-aware application is a Microsoft ASP.NET application that has been written using the ADFS library. This type of application is fully capable of using ADFS Claims to make authorization decisions directly. A claims-aware application accepts claims that the Federation Service sends in ADFS security tokens. For more information about how the Federation Service uses security tokens and claims, see Federation Service.

Claim mapping is the act of mapping, removing or filtering, or passing inbound claims into outbound claims. Claim mapping does not occur when claims are sent to an application. Instead, only the organization claims that are specified by the Federation Service administrator are sent to the application. (Organization claims are claims in intermediate or normalized form within an organization's namespace.)

By default, no organization claims that are marked as auditable are sent. All nonauditable claims are sent. Therefore, the Federation Service administrator will opt in for auditable claims to be sent to the application and will opt out for nonauditable claims.

The following list describes the organization claims that can be used by claims-aware applications:

  • Identity claims (UPN/e-mail/common name)

    When you configure the application, you specify which of these identity claims will be sent to the application. No mapping or filtering is performed.

  • Group claims

    When you configure the application, you specify the organization group claims that will be sent to the application. Organization group claims that are not designated to be sent to the application will be discarded.

  • Custom claims

    When you configure the application, you specify the organization custom claims that will be sent to the application. Organization custom claims that are not designated to be sent to the application will be discarded.

Claims-aware authorization

Claims-aware authorization consists of a Hypertext Transfer Protocol (HTTP) module and objects for querying the claims that are carried in the ADFS security token. Claims-aware authorization is supported only for Microsoft ASP.NET applications.

The HTTP module processes ADFS protocol messages based on configuration settings in the Web application's Web.config file. The Web pages perform authentication and authorization tasks. The HTTP module also authenticates cookies and obtains claims from the cookies.