up vote 0 down vote favorite

We are implementing a Secure Token Service (STS) which uses Windows Identity Foundation to provide Claims based authentication and authorisation.

My question is really about best practices and how we should handle multiple roles for a given identity.

When creating claims for a user after they have successfully logged in, we need to be able to add the roles that the user is a member of to the claims before returning to the Relying Party.

The Claim object does not accept a collection of strings so I'm wondering how this should be done. I can think of two ways:

  1. I can add multiple Claims of type ClaimTypes.Role with different values and these can be read on the other side (I have tested and this seems to work without any errors)
  2. I could also put the roles into a single claim and delimit them by ; or something like that.

My question is really about which of the above is better, or am I missing something better? Neither solution is perfect as it will require parsing on the other side.

Thanks, John

share|improve this question
50% accept rate
feedback

1 Answer

up vote 2 down vote accepted

If you use ADFS as the STS, it inserts multiple roles into the claim

e.g.

  • ...claims/role Editor
  • ...claims/role Approver

etc.

The advantage of this is that WIF can then use the standard IsInRole constructs etc.

share|improve this answer
Thanks. We are using our own form of Authentication but if this is the way ADFS handles it then we can do the same. – John Mc 13 hours ago
feedback

Your Answer

 
or
required, but never shown
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.