This topic has not yet been rated - Rate this topic

<claimsAuthorizationManager>

.NET Framework 4.5

Registers a claims authorization manager for the incoming claims.

<system.identityModel>
  <identityConfiguration>
    <claimsAuthorizationManager>
<system.identityModel>
  <identityConfiguration>
    <claimsAuthorizationManager type = xs:string>
      <optionalConfigurationElements />
    </claimsAuthorizationManager>
  </identityConfiguration>
</system.identityModel>

The following sections describe attributes, child elements, and parent elements.

Attributes

Attribute

Description

type

A custom type that derives from the ClaimsAuthorizationManager class. For more information about how to specify the type attribute, see Custom Type References.

Child Elements

If there is no type attribute, or if the type attribute references the ClaimsAuthenticationManager class, the <claimsAuthorizationManager> element does not take child elements; however, classes derived from ClaimsAuthorizationManager can define child configuration elements.

Parent Elements

Element

Description

<identityConfiguration>

Specifies service-level identity settings.

The default behavior provided through the ClaimsAuthorizationManager class always authorizes the incoming claims. If no type attribute is specified or if the type attribute specifies the ClaimsAuthorizationManager class, the <claimsAuthorizationManager> element does not take child elements. You can specify the type attribute to register a type derived from the ClaimsAuthorizationManager class to implement custom behavior. Derived classes can support configuration through child elements of the <claimsAuthorizationManager> element by overriding the LoadCustomConfiguration method to handle these elements. The schema defined for the child elements is up to the designer of the class.

Important noteImportant

When using the ClaimsPrincipalPermission or the ClaimsPrincipalPermissionAttribute class to provide claims-based access control in your code, the identity configuration that is referenced by the <federationConfiguration> element configures the claims authorization manager and policy that is used to make authorization decisions. This is true, even in scenarios that are not passive Web scenarios, for example Windows Communication Foundation (WCF) applications or an application that is not Web-based. If the application is not a passive Web application, the <claimsAuthorizationManager> element (and its child policy elements, if present) of the referenced identity configuration are the only settings applied. All other settings are ignored. For more information, see the <federationConfiguration> element.

This element sets the IdentityConfigurationClaimsAuthorizationManager property.

The following XML shows the configuration for a claims authorization manager that implements policy composed of resource-action pairs each of which specifies boolean combinations of the claims that a requestor must possess to perform the action on the resource. The code that implements the claims authorization manager capable of using this policy can be found in the ClaimsBasedAuthorization sample.

<system.identityModel>
    <identityConfiguration>
      <claimsAuthorizationManager type="ClaimsAuthorizationLibrary.MyClaimsAuthorizationManager, ClaimsAuthorizationLibrary">
        <policy resource="http://localhost:28491/Developers.aspx" action="GET">
          <or>
            <claim claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" claimValue="developer" />
            <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />
          </or>
        </policy>
        <policy resource="http://localhost:28491/Administrators.aspx" action="GET">
          <and>
            <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />
            <claim claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country" claimValue="USA" />
          </and>
        </policy>
        <policy resource="http://localhost:28491/Default.aspx" action="GET">
        </policy>
        <policy resource="http://localhost:28491/" action="GET">
        </policy>
        <policy resource="http://localhost:28491/Claims.aspx" action="GET">
        </policy>
      </claimsAuthorizationManager>
    <identityConfiguration>
<system.identityModel>
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.