Foreword by Kim Cameron

Download code samples Download PDF Download Paperback

Claims-based identity seeks to control the digital experience and allocate digital resources based on claims made by one party about another. A party can be a person, organization, government, website, web service, or even a device. The very simplest example of a claim is something that a party says about itself.

As the authors of this book point out, there is nothing new about the use of claims. As far back as the early days of mainframe computing, the operating system asked users for passwords and then passed each new application a "claim" about who was using it. But this world was based to some extent on wishful thinking because applications didn't question what they were told.

As systems became interconnected and more complicated, we needed ways to identify parties across multiple computers. One way to do this was for the parties that used applications on one computer to authenticate to the applications (and/or operating systems) that ran on the other computers. This mechanism is still widely used—for example, when logging on to a great number of Web sites.

However, this approach becomes unmanageable when you have many co-operating systems (as is the case, for example, in the enterprise). Therefore, specialized services were invented that would register and authenticate users, and subsequently provide claims about them to interested applications. Some well-known examples are NTLM, Kerberos, Public Key Infrastructure (PKI), and the Security Assertion Markup Language (SAML).

If systems that use claims have been around for so long, how can claims-based computing be new or important? The answer is a variant of the old adage, "All tables have legs, but not all legs have tables." The claims-based model embraces and subsumes the capabilities of all the systems that have existed to date, but it also allows many new things to be accomplished. This book gives a great sense of the resultant opportunities.

For one thing, identity no longer depends on the use of unique identifiers. NTLM, Kerberos, and public key certificates conveyed, above all else, an identification number or name. This unique number could be used as a directory key to look up other attributes and to track activities. But once we start thinking in terms of claims-based computing, identifiers were not mandatory. We don't need to say that a person is associated with the number X, and then look in a database to see if number X is married. We just say the person is married. An identifier is reduced to one potential claim (a thing said by some party) among many.

This opens up the possibility of many more directly usable and substantive claims, such as a family name, a person's citizenship, the right to do something, or the fact that someone is in a certain age group or is a great customer. One can make this kind of claim without revealing a party's unique identity. This has immense implications for privacy, which becomes an increasingly important concern as digital identity is applied to our personal lives.

Further, while the earlier systems were all hermetic worlds, we can now look at them as examples of the same thing and transform a claim made in one world to a claim made in another. We can use "claims transformers" to convert claims from one system to another, to interpret meanings, apply policies, and to provide elasticity. This is what makes claims essential for connecting our organizations and enterprises into a cloud. Because they are standardized, we can use them across platforms and look at the distributed fabric as a real circuit board on which we can assemble our services and components.

Claims offer a single conceptual model, programming interface, and end-user paradigm, whereas before claims we had a cacophony of disjoint approaches. In my experience, the people who use these new approaches to build products universally agree that they solve many pressing problems that were impossibly difficult before. Yet these people also offer a word of advice. Though embracing what has existed, the claims-based paradigm is fundamentally a new one; the biggest challenge is to understand this and take advantage of it.

That's why this book is so useful. It deals with the fundamental issues, but it is practical and concise. The time spent reading it will be repaid many times over as you become an expert in one of the transformative technologies of our time.

Kim Cameron

Distinguished Engineer – Microsoft Identity Division