Claims-based identity seeks to control the digital experience and allocate digital resources based on claims made by one party about another. A party can be a person, organization, government, website, web service, or even a device. The very simplest example of a claim is something that a party says about itself.
As the authors of this book point out, there is nothing new about the use of claims. As far back as the early days of mainframe computing, the operating system asked users for passwords and then passed each new application a “claim” about who was using it. But this world was based to some extent on wishful thinking because applications didn’t question what they were told.
As systems became interconnected and more complicated, we needed ways to identify parties across multiple computers. One way to do this was for the parties that used applications on one computer to authenticate to the applications (and/or operating systems) that ran on the other computers. This mechanism is still widely used—for example, when logging on to a great number of Web sites.
However, this approach becomes unmanageable when you have many co-operating systems (as is the case, for example, in the enterprise). Therefore, specialized services were invented that would register and authenticate users, and subsequently provide claims about them to interested applications. Some well-known examples are NTLM, Kerberos, Public Key Infrastructure (PKI), and the Security Assertion Markup Language (SAML).
If systems that use claims have been around for so long, how can claims-based computing be new or important? The answer is a variant of the old adage, “All tables have legs, but not all legs have tables.” The claims-based model embraces and subsumes the capabilities of all the systems that have existed to date, but it also allows many new things to be accomplished. This book gives a great sense of the resultant opportunities.