WIF - managing domain specific authorization

I have a Windows Identity Foundation based infrastructure with a Custom STS with its own database. The STS authenticates users. The database also contains various Authorisation related claims about users. We add these claims after the user has been authenticated and just before WIF serializes the ClaimsIdentity into the Saml Token and posts it over to the Relying party sites. We have 5 Relying Party sites (and the number may grow).

This has meant that the number of claims and ultimately the size of the auth cookie has grown - as I need to satisfy the domain specific authorisation for each RP. As a result, each request carries around a bloated cookie with some claims that are not relevant to some of the sites. Which I don't like.

Is there a better pattern for managing domain specific authorization claims within a (WIF/WS-Federation) federated authentication architecture?

Thanks

Answers


You should look into claims transformation (ClaimsAuthenticationManager) -- it allows the RP to augment the claims presented to the RP. The idea is that the STS provides only a small set of claims and then the RP adds it's RP specific stuff from its database.


Please look at Authorization server. It might be what you are looking for.


Need Your Help

Ag-grid inheritate functionality

javascript angularjs ag-grid

im creating a custom filter, the functionality is basically the same that is built-in in the ag-grid.

Delete multiple XmlData sibling nodes with .remove()

xml sql-server-2008 xml-dml

This question is along the lines of Deleting Multiple Nodes in Single XQuery for SQL Server. The difference is that I want to indiscriminately remove all nodes within the document.