Microsoft's Guide to Claims Based Identity and Access Control

Published on Thursday, March 11, 2010

Three months after the PDC conference and I’m finally catching up on the reading materials I collected in LA. One of the books I picked up was a copy of the Patterns and Practices Group’s A Guide to Claims Based Identity and Access Control. It turns out that this book just RTM’ed and is now available online in PDF and HTML formats.

Claims Based Identity and Access Control

This book is unique in the Microsoft world. You can find all kinds of books that scratch the surface of application and web service security. If you’re looking to dive deep and understand Claims-based identify and federated security, you were relegated to piecing bits of information from blogs, MSDN, and other sources – until this book arrived. The books takes a topic that is complex and difficult to comprehend and approaches it from the perspective of several personas: a security specialist, software architect, developer, and operations manager. While this is by no means an O’Reilly Heads-First style book, the persona approach, professional illustrations, simple metaphors, and meaningful examples go a long way towards making the material much more digestible.

After a basic introduction to claims and claims-based architectures, the book dives into 4 detailed examples.

  1. Claims-Based Single Sign On for the Web
  2. Federated Identity for Web Applications (including Azure)
  3. Federated Identity for Web Services
  4. Federated Identity with Multiple Partners

For each of these topics, the book provides a case study complete with diagrams, code snippets, and commentary from the technical personas. Complete source code is available on line as well for those who want to dive deep into the details.

I’m about three quarters of the way through the book now and have found the book to provide an excellent learning experience. It was humbling to find out how little I knew about how to establish claims based identity. On the other hand, as I look at some upcoming client work that is asking for claims based identity and the use of ADFS, I’m really glad that I’ve had the chance to work through this book and familiarize myself with the lay of the land prior to diving into the deep end.