Back to
Windows Azure Active Directory Solutions For Developers
Scenario
In this scenario application requires to implement complex authorization rules logic, something that
cannot be satisfied using only roles. The application enforces access by calculating the outcome - grant or deny access - based on the information available in the request including the claims in the incoming token.
- The application uses claims-based authentication
- Role Based Access Control (RBAC) cannot satisfy authorization requirements
- Authorization outcome - grant or deny access - is calculated based on complex rules and the data available in the token.
Solution Approach
The solution relies on ClaimsAuthorizationManager - WIF' extensibility point. You develop custom ClaimsAuthorizationManager
and register it in web.config. You can optionally express the rules as a policy in the web.config so that the custom ClaimsAuthorizationManager can read them at run time and enforce them for the incoming requests. For detailed step-by-step walkthrough read
How
To: Implement Claims Authorization in a Claims-Aware ASP.NET Application Using WIF and ACS.
- Application uses WIF
- Application uses ClaimsAuthorizationManager as an extensibility point
- Implement custom ClaimsAuthorizationManager and define authorization policy in the configuration file
- Call CheckAccss in the code to enforce the authorization policy.
Analysis
Implement claims-cased authorization when role base access control (RBAC) is insufficient to satisfy authorization requirements. Read more about RBAC in
Role-Based
Access Control (RBAC) Authorization In Claims-Aware Applications
How-To's
Code Samples
Resources