Compartilhar via


How to: Access Claims in an ASP.NET Page

[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

Windows® Identity Foundation (WIF) provides design-time controls and the WS-Federated Authentication Module (WS-FAM) programming model to enable ASP.NET developers to accept tokens from the caller of an ASP.NET page. These tokens contain information about the caller, which WIF exposes to the developer as claims. This topic shows how to access these claims.

To Access the Claims

In order to access identity related information, you can run FedUtil. For more information, see Establishing Trust from an ASP.NET Relying Party Application to an STS using FedUtil. Once you have run FedUtil, your application can access IClaimsPrincipal and IClaimsIdentity using the standard ASP.NET constructs as shown in the following code example:

void Page_Load(object sender, EventArgs e)
{
    // Cast the Thread.CurrentPrincipal
    IClaimsPrincipal icp = Thread.CurrentPrincipal as IClaimsPrincipal;

    // Access IClaimsIdentity which contains claims
    IClaimsIdentity claimsIdentity = (IClaimsIdentity)icp.Identity;
    
    // Access claims
    foreach(Claim claim in claimsIdentity.Claims)
    {

    }
}

To Enumerate a User’s Claims

Once you have access to IClaimsIdentity, you can enumerate the claims by iterating through its claims collection. The following code sample shows all claim properties (that is, claim types, claim values, and claim value types) that WIF extracts from the incoming security token. Also, see the Getting Started/Simple Claims Aware Web Application sample in the sample directory.

Note

Do not use the following sample code in production. In production code, you should carefully consider the security implications of displaying the properties of claims to clients. For example, you should consider accepting only the claim types that are expected by relying party applications, sanitizing the claim properties before you use them, and filtering out claims that contain sensitive personal information.

void Page_Load(object sender, EventArgs e)
{
    // Cast the Thread.CurrentPrincipal
    IClaimsPrincipal icp = Thread.CurrentPrincipal as IClaimsPrincipal;

    // Access IClaimsIdentity which contains claims
    IClaimsIdentity claimsIdentity = (IClaimsIdentity)icp.Identity;
    
    // Access claims
    foreach(Claim claim in claimsIdentity.Claims)
    {
      Response.Write(claim.ClaimType) + "<BR>";
      Response.Write(claim.Value) + "<BR>";
      Response.Write(claim.ValueType) + "<BR>";
    }
}

To Access a Specific Claim

Once you have access to IClaimsIdentity, you can access a specific claim by looking for a given claim-type in the Claims collection. You can do this either by iterating through the claims in the collection or by using LINQ.

The following code sample shows how to do this by iterating through the claims in the collection.

void Page_Load(object sender, EventArgs e)
{
    // Cast the Thread.CurrentPrincipal
    IClaimsPrincipal icp = User as IClaimsPrincipal;

    // Access IClaimsIdentity which contains claims
    IClaimsIdentity claimsIdentity = (IClaimsIdentity)icp.Identity;
    
    // Access claims
    foreach(Claim claim in claimsIdentity.Claims)
    {
      if(claim.ClaimType == "http://GenevaFramework/AgeClaim")
      {
         Response.Write("Age Claim: " + claim.Value);
         break;
      }
    }
}

The following code sample shows how to do this by using LINQ.

void Page_Load(object sender, EventArgs e)
{
    // Cast the Thread.CurrentPrincipal
    IClaimsPrincipal icp = User as IClaimsPrincipal;

    // Access IClaimsIdentity which contains claims
    IClaimsIdentity claimsIdentity = (IClaimsIdentity)icp.Identity;
    
    // Access claim
    string ageClaimValue;

    try {   
        ageClaimValue = ( from c in claimsIdentity.Claims
                          where c.ClaimType == "http://GenevaFramework/AgeClaim"
                          select c.Value ).Single();
    }
    catch (InvalidOperationException)
    {
        ageClaimValue = "Age claim wasn’t found or " + 
            "there were more than one Age claims provided";
    }

    Response.Write("Age Claim: " + ageClaimValue);
}