1

My understanding is that claims are an STS thing based on WS-trust standard and nothing to do with SAML2 standard. WS-trust STS token can use SAML to send claims in that format. Am I correct?

Brock Adams
  • 90,639
  • 22
  • 233
  • 295
user557983
  • 51
  • 1
  • 5
  • I have a question: can we add claims to saml metadata? https://stackoverflow.com/questions/69864159/how-add-claims-to-saml-idp-metadata – Muneera_salah Nov 07 '21 at 12:14

3 Answers3

8

Claims is a general concept - a claim is a piece of information about a user.

In SAML2 the same concept is present, but it is named attribute instead. There is also a special treatment in SAML2 of the SubjectNameId field - usually the username. When translated to a .NET ClaimsIdentity it is simply just another claim.

Anders Abel
  • 67,989
  • 17
  • 150
  • 217
4

Claims are essentially a Microsoft concept. In that world, claims are the signed statements made about an identity by ADFS and interpreted by WIF e.g. Mobile = 12345678.

The mechanism used to pass this information is a SAML token (not to be confused with the SAML protocol).

This contains SAML assertions as above - WIF takes this base information and returns a claims object to the application.

Claims are not restricted to WS-Trust - that's essentially active (web services). They are also used by WS-Federation which is passive (browser).

rbrayb
  • 46,440
  • 34
  • 114
  • 174
1

Claims are a general concept - completely independent of the token type or protocol that is used.

leastprivilege
  • 18,196
  • 1
  • 34
  • 50