Partager via


<claimsAuthorizationManager>

Registers a claims authorization manager for the incoming claims.

<configuration>
  <system.identityModel>
    <identityConfiguration>
      <claimsAuthorizationManager>

Syntax

<system.identityModel>  
  <identityConfiguration>  
    <claimsAuthorizationManager type = xs:string>  
      <optionalConfigurationElements />  
    </claimsAuthorizationManager>  
  </identityConfiguration>  
</system.identityModel>  

Attributes and Elements

The following sections describe attributes, child elements, and parent elements.

Attributes

Attribute Description
type A custom type that derives from the ClaimsAuthorizationManager class.

Child Elements

If there is no type attribute, or if the type attribute references the ClaimsAuthenticationManager class, the <claimsAuthorizationManager> element does not take child elements; however, classes derived from ClaimsAuthorizationManager can define child configuration elements.

Parent Elements

Element Description
<identityConfiguration> Specifies service-level identity settings.

Remarks

The default behavior provided through the ClaimsAuthorizationManager class always authorizes the incoming claims. If no type attribute is specified or if the type attribute specifies the ClaimsAuthorizationManager class, the <claimsAuthorizationManager> element does not take child elements. You can specify the type attribute to register a type derived from the ClaimsAuthorizationManager class to implement custom behavior. Derived classes can support configuration through child elements of the <claimsAuthorizationManager> element by overriding the LoadCustomConfiguration method to handle these elements. The schema defined for the child elements is up to the designer of the class.

Important

When using the ClaimsPrincipalPermission or the ClaimsPrincipalPermissionAttribute class to provide claims-based access control in your code, the identity configuration that is referenced by the <federationConfiguration> element configures the claims authorization manager and policy that is used to make authorization decisions. This is true, even in scenarios that are not passive Web scenarios, for example Windows Communication Foundation (WCF) applications or an application that is not Web-based. If the application is not a passive Web application, the <claimsAuthorizationManager> element (and its child policy elements, if present) of the referenced identity configuration are the only settings applied. All other settings are ignored. For more information, see the <federationConfiguration> element.

This element sets the IdentityConfiguration.ClaimsAuthorizationManager property.

Example

The following XML shows the configuration for a claims authorization manager that implements policy composed of resource-action pairs each of which specifies boolean combinations of the claims that a requestor must possess to perform the action on the resource. The code that implements the claims authorization manager capable of using this policy can be found in the ClaimsBasedAuthorization sample.

<system.identityModel>  
    <identityConfiguration>  
      <claimsAuthorizationManager type="ClaimsAuthorizationLibrary.MyClaimsAuthorizationManager, ClaimsAuthorizationLibrary">  
        <policy resource="http://localhost:28491/Developers.aspx" action="GET">  
          <or>  
            <claim claimType="https://schemas.microsoft.com/ws/2008/06/identity/claims/role" claimValue="developer" />  
            <claim claimType="https://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />  
          </or>  
        </policy>  
        <policy resource="http://localhost:28491/Administrators.aspx" action="GET">  
          <and>  
            <claim claimType="https://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />  
            <claim claimType="https://schemas.xmlsoap.org/ws/2005/05/identity/claims/country" claimValue="USA" />  
          </and>  
        </policy>  
        <policy resource="http://localhost:28491/Default.aspx" action="GET">  
        </policy>  
        <policy resource="http://localhost:28491/" action="GET">  
        </policy>  
        <policy resource="http://localhost:28491/Claims.aspx" action="GET">  
        </policy>  
      </claimsAuthorizationManager>  
    <identityConfiguration>  
<system.identityModel>