Claims and Tokens
This topic describes the various claim types that Windows Communication Foundation (WCF) creates from the default tokens that it supports.
The ClaimType property returns a Uniform Resource Identifier (URI) that specifies the type of claim being made. For example, a claim type may be a thumbprint of a certificate, in which case the URI is
The Resource property returns the resource associated with the claim.
Where a client credential maps to a Windows user account, the resulting ClaimSet has the following values:
Issueris the value returned by the static Windows property of the ClaimSet class.
The claims in the collection are:
A Claim with a ClaimType value of security identifier (SID), a Right property value of
Identity, and a Resource that returns the actual SID value. A SID is a unique value the domain controller issues to every user. The SID is used to identify the user in interactions with Windows security.
Additional SID claims with PossessProperty for the various groups the user belongs to.
Where the client credential is a certificate, the resulting ClaimSet has the following values:
For self-issued certificates, the
Issueris the ClaimSet itself. The ClaimSet returns a ClaimType of Thumbprint, a Right of
Identity, and a Resource value that is a Byte array containing the thumbprint of the certificate.
For a certificate issued by a certification authority, the issuer is the
ClaimSetrepresenting the certification authority’s certificate.
Claimsin the collection include:
ClaimTypeof Thumbprint, a
Rightof PossessProperty, and a
Resourcethat is a byte array containing the thumbprint of the certificate
Additional PossessProperty claims of various types, including X500DistinguishedName, Dns, Name, Upn, and Rsa, represent various properties of the certificate. The resource for the Rsa claim is the public key associated with the certificate.Note Where the client credential type is a certificate that the service maps to a Windows account, two
ClaimSetobjects are generated. The first contains all the claims related to the Windows account and the second contains all the claims related to the certificate.
Where the client credential is a user name/password (or equivalent) that does not map to a Windows account, the resulting
ClaimSet is issued by the static System property of the
ClaimSet class. The
ClaimSet contains an
Identity claim of type Name whose resource is the user name the client provides. A corresponding claim has a
Where an RSA key not associated with a certificate is used, the resulting
ClaimSet is self-issued and contains an
Identity claim of type Rsa whose resource is the RSA key. A corresponding claim has a
Where the client authenticates with a Security Assertions Markup Language (SAML) token, the resulting
ClaimSet is issued by the entity that signed the SAML token, often the certificate of the security token service (STS) that issued the SAML token. The
ClaimSet contains various claims as found in the SAML token. If the SAML token contains a
SamlSubject with a non-
null name, then an
Identity claim with a type of NameIdentifier and a resource type of SamlNameIdentifierClaimResource are created.
Identity Claims and ServiceSecurityContext.IsAnonymous
If none of the
ClaimSet objects resulting from the client credentials contain a claim with a
Identity, then the IsAnonymous property returns
true. If one or more such claims are present, the
IsAnonymous property returns