Claims mapping & cloud application design

Claims mapping is an important technique for improving the maintainability of applications offering federated authentication. Claims mapping does this by abstracting the details of identity provider-specific semantics. Suppose that you are federating authorization with two separate organizations, each exposed by their own ADFS. It’s likely that the ADFS servers, and the claims issued by each, are configured slightly differently. Suppose further that you have two separate but related applications, both of which must be accessible to both organizations. Claims mapping allows you to not only isolate that two applications from the variations between the two ADFS servers, but also to output claims in a way that is application-specific.

For example, one ADFS server might issue a claim of Title = Doctor, while another server might issue a claim of Title = Dr. Claims mapping allows canonicalization of those titles. Further, if one application is used to track drug dispensation and one is used to view medical records, the former could implemented to expect a claim such as MayPrescribe and the other a claim such as MayView. With this implementation, the logic of interpreting titles has been entirely abstracted from the application, resulting in less duplication of logic and in code that is easier to understand and maintain.

Notably, claims mapping is being offered as a service: see the Windows Azure AppFabric Access Control Service (ACS). 

Leave a Reply