Fun with Claims Games
Andy has a claims quandary – check out his blog post to see it: http://xditao.blogspot.com/2009/01/claim-game.html.
To paraphrase, the question is how could a Library model a set of roles that a user might possess, and ask for possession of those roles in a way that doesn’t inconvenience the user by forcing them to undergo multiple card transactions?
Here is my proposed solution, and I just made this up so feel free to call me an idiot if deserved:
- Create a set of “role” claim names:
- Create a set of “action” claim names:
- In your RP trigger object, ask for actions as required claims, and specific roles as optional claims, for example:
- Required: has_library_role
- Optional: system_admin
- The Identity Provider evaluates the actions against each of the specified role claims, and returns the applicable roles as the values for each action.
- In the example above, the value returned for has_library_role could contain the string: system_admin, communicating that the user does indeed possess the role.
- A more complicated action might be “has_all_roles” where three role claims are optionally specified, and the return value of the action claim is TRUE only if the user possesses all three of the specified role claims.
Here’s what I like about this scheme:
- The RP can always expect a definitive answer for the action claim.
- Minimal data is transmitted.
- Only the action claims would determine card selection at the beginning of the transaction.
- The IdP can control the context of what is returned.
- It could evaluate the requested roles to be sure the RP has the right to ask.
- It could return something as simple as a role list, or something as complex as an XACML statement.
- Role claims can grow and change, while action claims can remain static (this is important for managed cards, since IIRC additions to required claims offered would result in users having to download a new version of the managed card template, not something you want to happen often).
- Action claims can represent very complex and specific logic if need be.
What do you think Andy? Could it work?