Tuesday, April 03, 2012 9:03 PM
I'm sold on WIF/ADFS. My plan is to transform our AD groups (basically domain user types) to sets of claims. So for each AD group we will have 20-30 fine-grain claims that control app features (deletecustomer, confirmorder, shipproduct, etc). The apps only use the claims and are completely abstracted from the AD groups.
First question, is this claim design valid?
If so, what is the best way to manage all these claims and transforming AD groups? Some have suggested using an a SQL attribute store.
Wednesday, April 04, 2012 9:13 PM
Can you expand on “for each AD group we will have 20-30 fine-grain claims”?
Normally for each AD group e.g. CanDelete you would map a rule “Send Group Membership as a Claim”.
This would map the group to an “Outgoing Claim Type” of “Role” with a value of “CanDelete”.
The RP would then receive an .. identify/claims/role claim with a value of “CanDelete” which it would then use as appropriate for authorisation or whatever.
Wednesday, April 04, 2012 9:39 PM
Remember that when group membership is transformed to claims its a flat list - it doesn't take into account parent groups, only what the user is directly a member of.
Also, roles should tend not to follow the CanDelete/CanWrite/CanFoo/etc convention. They are a pain to manage, and at that point they aren't roles, but permissions.
You could certainly keep the convention though, except using a different claim type, e.g. https://schema.yourorg.com/identity/claims/permission or whatever fits your naming standards.
If you do stick to roles, consider them like business roles - Shipper/OrderProcessor/Auditor/Sales/CustomerSupport/etc.
How you manage the rules is kind of dependent on how many RP's and users you would be managing. It might be easier to manage everything within ADFS if its less than a dozen (or other arbitrary number) apps or users. If you went the SQL route you would have to create some way to manage the data in it, so that requires the usual data entry screens or scripts. But then you also don't have to keep writing transforms in ADFS.
Developer Security MVP | www.syfuhs.net
- Edited by Steve SyfuhsMVP Wednesday, April 04, 2012 9:45 PM
Thursday, April 05, 2012 11:30 AM
This sounds like a compelling idea...if
- AD groups always map to the same capabilities in your applications
- all these capabilities for all your apps are stored centrally
- your dev/admin communication is working very, very well (meaning admins are always willing to do AD and ADFS changes based on (changing) application requirements
To me it sounds like that this could become very messy quickly.
The other issue is that this amount of claims will produce a massive session token (maybe even to big for a cookie). So you also need a caching mechanism in your applications.