i'm new to claims based security. I understand the premise but have some questions regarding the token.
From what I understand, the token will carry all of the claims for a given user, and that different systems will use different claims to determine authorization to a system. On this point I have several questions;
1) Does this mean that the STS is aware of all claims for all systems? Does this not mean the token could become gargantuan in size? Or does the token only carry the claims as needed by the relying party requesting the authentication?
2) Should claims be leveraged to determine fine grained access to a system, or are relying parties expected to maintain a separate means of tracking permissions?
I have a system with 100's of different user permissions. In trying to move to a claims based solution, the missing piece for me is, are all of the permissions meant to be managed by the STS and provided in the token? Or, do I use the token to authenticate the user, then manage permissions myself? Or perhaps some inbetween?
Help and guidance would be appreciated!
Kind regards TheMistry
1) Using ADFS, each RP is configured separately with a group of claims. So a user will only get the claims for that RP.
2) / 3) This is a grey area. You could move all the permissions into claims. ADFS allows claims from AD / LDAP/ SQL Server. ADFS also allows you to map AD attributes to roles. What I normally do is pass all the role based stuff as claims so the RP can have code like "IsInRole()" but leave the rest for the RP to take care of.