Investigate The Concept Of Claims Based Identity

Work Completed By: Steve Woodward


A key concept for identity within our ICT architecture is the use of claims about a particular identity i.e. a piece of information that is in doubt and must be proved. It is hoped that by adopting such and approach we can provide a more granular user experience and apply relevant authentication requirements.

This project is concerned with understanding how prevalent and mature this concept is within the wider ICT community. Where it is being used and how it is being implemented within commercial offerings.


There were no demos or code produced for this project - this was treated as a research question. The output of this project is this document.


Like most people, I've logins for lots and lots of websites. Of course I've forgotten most of them, and I'll often click the "I've forgotten my password" link to get a new login. I'll lean on the auto-form fill feature in my browser to login to most of the sites I use regularly, but I've also got a password-protected wikipage (on my computer) chock full of passwords and usernames.

All which isn't particularly secure and means I'm tied to that computer, an eminently stealable laptop.

Ideally I'd be able to login to all the websites I use really easily without fear of getting my identity stolen. I'd heard of OpenID, but as a user, never really understood it, and I've also seen buttons on websites for logging in with Facebook, Google and Twitter, but never investigated it.

So I first started off wondering if we're still in the - groan if you like - VHS vs. Betamax period for identity systems, except that rather than just 2 or 3 systems there are so many to choose from. (Video 2000 was never a contender, come on…).

What is claims-based identity?

I've been struggling with the idea of claims-based identity. No-one ever said it was going to be easy. I'd hoped to come up with a one or two-liner, but I'm not going to manage that.

Claims are part of the Identity Metasystem model - wait, don't run away - which is "an …architecture for digital identity that enables people to have and employ a collection of digital identities" (Wikipedia, inevitably).

The picture of this in my head is that when I'm at work, I'm Steve Woodward of Warwickshire County Council, so I'll need access to stuff based on that side of me. When I'm at home I'll wear a different hat; say for example I'd put together a website for a shop, so I'll need access to the web server there, so I'll be using my home identity.

So what is a claim?

A claim is an assertion made by one subject about another subject that is defined to be "in doubt" until passing "Claims Approval" - from Usercentric Identity Metasystem

Actually this isn't quite right, because not only can someone else make claims about me - so for example Warwickshire County Council could claim that I work for them, but I can also claim that I work at Warwickshire County Council.

You might assign levels of trust to claims depending on where the claim has been issued from. An example that Chris Jones mentioned is that in the real world you could produce a driving licence for proof of age in shops and pubs. In this example, the DVLA is the identity provider, the relying party is the pub, and I'm the subject. The barman looks at the driving licence, and providing that he recognises the look of it, he trusts the DVLA to have had enough proof of the would-be drinker's age. He doesn't have to ring up the DVLA and check with them, he trusts the card.

I-Cards and Information Cards

In the digital world, claims can be wrapped up as Information Cards.

The generic idea of an Information Card is based on identity credentials like credit cards, driver's licences, passports, etc. I-cards and Information Cards are broadly the same sort of thing - the separate names are a historical quirk due to parallel development by Microsoft (information cards used in CardSpace) and the people behind the Higgins Open Source Identity Framework.

There are three kinds of cards. A managed card, a personal card, and a relationship card.

A managed card is an information card issued by an identity provider. A personal card is a card you can create, making claims about yourself. A relationship card is for defining an ongoing data sharing relationship between multiple parties, and is still under development by the Higgins Identity Framework.

Identity selectors

An identity selector is a bit of software that enables the user to create and edit their information cards. Currently it's also the identity selector that allows you to present your digital identity to a website.

There are three main ones, currently - Windows CardSpace, Azigo and Novell DigitalMe.


Windows CardSpace identity selector


Azigo identity selector

CardSpace stores your personal card on your machine as a file, as does Novell DigitalMe. Azigo stores it in "a secure online service", which could be convenient up until the point at which they announce they are discontinuing the service and you have until the end of the day to extract your cards. Both CardSpace and DigitalMe are going to offer both options at some stage.

I've had a go at creating an information card with Azigo. I tried logging onto Kim Cameron's Identity Weblog, which supportsInformation Cards. The Azigo client duly pops when I try and log in, and when I click on my Information Card that I've set up, I get…


…which isn't very friendly. I now have nothing to go on to fix this problem - maybe there wasn't enough information in my Information Card, or Kim's weblog didn't trust it (for whatever reason), or there was some sort of communication/network problem - either way, if logging in via an Information Card is the only way to comment on this site, I'm locked out of it.

In order to support Information Cards, I'd suggest that we need identity selectors baked into the browser as standard, rather than through an external piece of software. The selector should be easy to use and allow users to have full control over their own cards.

According to, an identity selector does come with IE in Vista, but there's no mention of whether this is Windows CardSpace. Firefox does have a plugin for InfoCards, but all the dates on the webpages mentioning support seem to be from a couple of years ago, as if projects were started and never kept up-to-date.

The Microsoft way - Windows Identity Foundation (was called Zermatt, and was called Geneva)

When searching for claims-based identity on the web, all roads seem to lead to the Geneva framework - the official site still refers to it under its codename, and it still appears to be in beta.


Geneva homepage detail

Previously known as Zermatt, renamed Geneva late 2008, it's now only recently been given its official name of Windows Identity Foundation which would indicate a willingness from Microsoft to get this into production. Or just change the name of their products every ten minutes.

There's been much talk about the theory and philosophy behind claims-based identity, but as Eugenio Pace at Microsoft says, little in the way of "concrete scenarios".

Code samples have just this month started to appear on the Geneva team blog

Business case studies are thin on the ground; there's a video case study over at the Geneva website, which shows a claims-based proof of concept at the Lake Washington School District. It reuses trust created in the real world by relying on an initial "in-person proofing event" - like a school registration process - showing a child and a parent presenting a school administrator with their documents. The digital identity is bound up in netbook given to the child.

They show a third-party calendar app which consumes the claims coming from Active Directory through Geneva. The presenters flip through this part pretty quickly, but the user interface for the presentation of the information card doesn't impress; it looks like a firewall or anti-virus program complaining about an intrusion event. Here's a blurry screenshot taken with James' Blackberry - the MS video doesn't seem to allow screenshots:


Struggling to come up with a metaphor for the shiny newness of Geneva, thoughts inevitably turn to drink; it feels as if this framework has just been bottled and we're still waiting for it to ferment. Now it has been assigned a proper name rather than just a codename, it needs to climb out of beta, and become a fully-fledged part of .NET. Once that happens one would expect the development community to get more involved, although I'd imagine it will be hard to get excited about a new way of doing identity, compared to the latest AJAX or Silverlight techniques.


Describe the degree to which the work was successful in addressing the project description. Include reasons why or why not.

Was the work successful? The best outcome would have been to find a way of representing identity that was very secure, simple to extend, heavily supported throughout the industry and easy to comprehend for the average user. And that made me coffee and brought me biscuits on the hour, thanks.

Identity has moved on since Dick Hardt's great presentation Identity 2.0, but there are still doubts about security, a lack of clear documentation and concrete case studies, different ideas and implementations, and - the worst part - it's hard for the end-user to understand.

OpenID took the biggest stab at an open-source identity model, and has made noise in the consumer market. Their decentralised model is seen as being an advantage, but with so many providers and the confusing user interfaces thrown up various implementations of the authentication process , it's definitely confusing for the end user. I already have Google, Flickr, Facebook, WordPress accounts - which one do I use as my central log-in?


From OpenID website, showing a selection of popular providers

Generic OpenID accounts like myopenid will struggle for brand recognition against the big boys. As a developer-type I could probably set up my own OpenID provider but I'm not sure it's worth the effort to me. Buttons have started to appear on blogs and community sites - and rather than "log-in in with my OpenID" it's "log-in with Facebook Connect" or "log-in with Twitter".


Example of log-in buttons - comment form from blogging app Posterous

Reading around the web, from the blogs and the opinion columns, there's a general feeling that OpenID hasn't taken off in quite the way that the developers hoped.

The enterprise moves more slowly than the consumer market, and the Microsoft's Zermatt/Geneva/Windows Identity Framework is still to come out of beta. It will take a while for Geneva to get a foothold with devs and enterprises - although there's a lot of Microsoft blogs trumpeting claims-based identity as the way forward, I'd struggle to recommend jumping into something that is so untested.


What immediate impact could the output of this R&D work have on the organisation – could it provide benefits without compromising our strategic approach?

There's nothing immediate we can apply to our infrastructure from this work.

The main framework in an enterprise setting is the Microsoft's Geneva, but that is still in beta and yet to get traction. We could use sticky-tape a bunch of washing-up bottles together in a Blue Peter style to make some sort of identity system built out of OpenID and Information Cards, but it's still in flux.


How the work carried out fits with our strategic direction or how it should contribute to our strategic thinking.

It's definitely worth watching the work that is going on at Microsoft and elsewhere to see it how it progresses. I can't help thinking that the consumer space is a large testing ground for ideas, and that maybe we'll see a model emerge out of a gluing together of OpenID/Information Cards, or whether Google might come up with something, cf. recent TechCrunch post - "Google Points At WebFinger. Your Gmail Address Could Soon Be Your ID" .


Appendix I: Security and the user interface

This bit is much less about claims-based identity, and more about security doubts around the UI pattern commonly used to log users in.

There's a common pattern to external login system things. The best way to explain is to show an example - this is from a simple, online blogging service called Posterous, which allows bloggers to write blogposts through sending an email to a standard address.

People who want to comment on a post are faced with the choice of three different login systems, Posterous' own, Facebook Connect, or Twitter. Here comes lots of screenshots.


Clicking on the Facebook link gets you a browser pop-up from Facebook, and obviously so; the address bar is included in the pop-up which tells me the punter that I really am logging onto Facebook.


So I enter in my username and password into the non-SSL'd form (tut, tut) and click connect and we land back on the Posterous comment form, logged in.


Now if I go over to Robert Scoble's hyper-excited blog about social media, this is the comment form I see, with social media log-in buttons all present and correct:


So although I'm still logged into Facebook, I'm not automatically logged into Scoble's blog; I've got to give the blog permission to connect to Facebook:


This time I don't get the address bar, but I don't really need to see that this time around. I click connect again and…


…I'm logged in. It's dead easy and very slick.

For all this to work, I've got to trust the parties involved. And trust is massively important on the Internet.

When I type in "" with one finger into Firefox, I trust that when I click the "go" button, routing and DNS across the world all clicks into action - in my mind it's a giant Heath Robinson-style mousetrap game, possibly involving Heinz Wolff and some eggs. With the final splat of the egg, or possibly just a tiny electrical signal, I end up at the BBC website.

Earlier in the day we were stressing about phishing and spoofing of sites - Terry had shown a possible phishing vector with OpenID, where the log-in form was presented in an iframe, so the URL of the referring site was still in the address bar.

This would allow the referring site to put display a fake login form for OpenID, with a kind-of believable URL in the address bar. It would look as if you were sending your username & password to the OpenID provider, but in reality it would be captured by the referring site.

Appendix II: References

Organization for the Advancement of Structured Information Standards - OASIS
"OASIS… is a not-for-profit consortium that drives the development, convergence and adoption of open standards for the global information society."

Kim Cameron's Identity Weblog
Well worth watching the video "Why OpenID leads to Information Cards"

Identity 2.0
Dick Hardt, now of Microsoft, and his blog on the "next generation of identity". You must watch his Identity 2.0 presentation.

Identity frameworks

Inevitable Wikipedia links

Identity selectors

Claims-based authentication / claims-based identity model
Blog post by Muhammed Ahsan

Microsoft's Geneva team blog

Microsoft blogger, especially on identity

Google's WebFinger
Could be the start of something?

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License