Flowing Additional Identity Information

I want to provide some additional information about the user within the client credentials. Can I do this with Windows credentials?

No. Although you can create custom claims and try attaching them to the credentials, the credentials on the wire only contain the information that's part of the standard Windows token. Any additional information gets lost. The same is true for many other types of credentials that weren't designed for extensibility in the wire format.

SAML tokens were designed for extensibility and permit attaching additional data. If you've got a mechanism to attach SAML tokens to a message, such as with message security, then you can load the token up with claims and additional identity information and flow the token to the other party. The token helps support the client credentials and other security information. You can read about SAML tokens on MSDN to get started.

Next time: Custom Cookie Handling

Comments

• Anonymous
  January 16, 2008
  What if I have a service that recieved a SAML token, and wanted to "impersonate" the client and flow the SAML token when submitting a requent to another service?

• Anonymous
  January 16, 2008
  Why doesn't a message start with an XML declaration? The XML declaration is a processing instruction

• Anonymous
  January 16, 2008
  Hi Amir- Check out this post by Govind for more details: http://blogs.msdn.com/govindr/archive/2006/10/24/re-serialize-saml-token.aspx.

• Anonymous
  January 28, 2008
  Can I pass additional user data, such as identity information, in a message secured with a client certificate?