Integration with IIdentity and IPrincipal

[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

IIdentity and IPrincipal

ASP.NET and Windows Communication Foundation (WCF) developers ordinarily use the IIdentity and IPrincipal interfaces to work with the user’s identity information. WIF extends these interfaces, as illustrated in the following diagram:


Developers can access the user’s name just as always. They can also access other claims made for the user, such as e-mail address, age, mailing address, and so on.

WIF provides this functionality through existing methods such as Thread.CurrentPrincipal. You call Thread.CurrentPrincipal and cast the returned IPrincipal to an IClaimsPrincipal. As the previous diagram illustrates, IClaimsPrincipal exposes a collection of identities, each of which has a collection of claims made about the subject, which is typically the current user.

A claim is represented by Claim class. This class has the following important properties:

  • ClaimType represents the type of claim and is typically a URI. For example, the e-mail address claim is represented as

  • Value contains the value of the claim and is represented as a string. For example, the e-mail address can be represented as “”.

  • ValueType represents the type of the claim value and is typically a URI. For example, the string type is represented as

  • The value type must be a QName according to the XML schema. The value should be of the format namespace#format to enable WIF to output a valid QName value.

  • If the namespace is not a well-defined namespace, the generated XML probably cannot be schema validated, because there will not be a published XSD file for that namespace.

  • The default value type is

  • Please see for well-known value types that you can use safely.

  • Issuer is the identifier of the security token service (STS) that issued the claim. This can be represented as URL of the STS or a name that represents the STS, such as For more information, see IssuerNameRegistry.

  • OriginalIssuer is the identifier of the STS that originally issued the claim, regardless of how many STSs are in the chain. This is represented just like Issuer.

  • Subject is the subject whose identity is being examined. It contains a IClaimsIdentity.

  • Properties is a dictionary that lets the developer provide application-specific data to be transferred on the wire together with the other properties, and can be used for custom validation.

Identity Delegation

An important property of IClaimsIdentity is Actor. This property enables the delegation of credentials in a multi-tier system in which a middle tier acts as the client to make requests to a back-end service. For more information, see Identity Delegation Scenario.