This documentation is archived and is not being maintained.

Basic Scenario

Windows Identity Foundation
[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

The following is an example of a claims-based system.

Relying Partner Authentication Flow

The previous diagram shows a claims-aware Web service (the relying party application) and a smart client that wants to use that service. The RP exposes a policy that describes its addresses, bindings, and contracts. But the policy also includes a list of claims that the RP needs, such as user name, e-mail address, and role memberships. The policy also tells the smart client the address of the STS from which it should retrieve these claims. After retrieving this policy (1), the client now knows where to go to authenticate: the STS. The user presents credentials (2) and the smart client makes a web service request (3) to the STS, requesting the claims that the RP asked for in its policy. The job of the STS is to authenticate the user and return a security token that gives the RP all of the claims it needs. The smart client then makes its request to the relying party (4), sending the security token along in the security SOAP header. The RP now receives claims with each request, and simply rejects any requests that don’t include a security token from the issuing authority that it trusts.