Geneva’s Beta 2 Claims Model
This week was released the beta 2 of the “Geneva” framework. This framework aims to provide an unified model for claims based identity management and access control. This includes a class model for representing claims-based identities, showed in the next diagram.
This class model, present in the Microsoft.IdentityModel.dll assembly, is similar to the one present in the code name “Zermatt” framework. One important difference is that issuers are not represented by IClaimsIdentity objects but by simple strings. The previous Zermatt’s model seems more complete, since it contains more information about an issuer. However, this added information implies that claim inference and authorization decision processes are typically more complex. The new model aims to reduce this complexity by translating the issuer’s claims set into a string, which will be used in the claim inferences and authorization decisions. This translation is the responsibility of IssuerNameRegistry objects.
- The System.IdentityModel.dll (SIM) model does not integrates with the IPrincipal/IIdentity principal model. The Microsoft.IdentityModel.dll (MIM) does.
- The SIM model does not includes explicit support for claims-based delegation. The MIM model includes the concepts of delegated identity and original issuer.
- In the SIM model, an issuer is represented by a claim set. In the MIM model, an issuer is represented by a string returned by an IssuerNameRegistry, as described above.