Policy Based Authorization in Windows Identity Foundation (WIF) – Part I

I wrote before about Claims based authentication here and a sample IP-STS to perform Authentication, but Authentication is not just enough for any application, it also requires Authorization, this is required to protect your resources and actions. Traditionally, its been achieved via RBAC – Role based access control using IPrincipal‘s IsInRole method. It verifies if current logged in user belongs to a certain group or not and allow to access the resource based on role, for example an Administrator will have ‘Administrator’ Role assigned to him and once validated he will have access to Admin section of the site. This works in WIF as well but with more granular properties getting added to User in the form of Claims it is really impossible to categorize these properties in role and add users to that role. Also, with RBAC a large amount of decision logic get embedded in the code.

Policy Based Authorization is a good choice to make decision based on available User Claims. WIF provided ClaimsAuthorizationManager is a very open-ended flexible extension point to integrate authorization mechanism including policy based authorization.


WIF has a HttpModule ClaimsAuthorizationModule which handles HttpApplication’s AuthorizeRequest to validate the incoming request.

public class ClaimsAuthorizationModule : IHttpModule


public void Init(HttpApplication context)
    if (context == null)
        throw DiagnosticUtil.ExceptionUtil.ThrowHelperArgumentNull("context");
    this._authorizationManager = FederatedAuthentication.ServiceConfiguration.ClaimsAuthorizationManager;
    context.AuthorizeRequest += new EventHandler(this.OnAuthorizeRequest);

Internally, AuthorizeRequest handler calls Authorize method which intern invokes ClaimsAuthorizationManager’s CheckAccess with current ClaimsPrincipal, requested Uri and Http request method.

protected virtual void OnAuthorizeRequest(object sender, EventArgs args)
    if (!this.Authorize())


protected virtual bool Authorize()
    bool flag = true;
    HttpRequest request = HttpContext.Current.Request;
    IClaimsPrincipal currentPrincipal = Thread.CurrentPrincipal as IClaimsPrincipal;
    // removed few lines from original code to keep it simple
    if (this.ClaimsAuthorizationManager != null)
        flag = this.ClaimsAuthorizationManager.CheckAccess(new AuthorizationContext(currentPrincipal, request.Url.AbsoluteUri, request.HttpMethod));
    return flag;

Like IPrincipal, ClaimsAuthorizationManager has a single method i.e. CheckAccess but it is more granular by considering the requested resource and action type. CheckAccess verifies if user is authorize to access the requested resource or not, the default implementation returns true.

I explained it through a sample earlier for RBAC here, this assumes that user is assigned to a ClaimType Role with Sales value.

WIF’s document does comes with a sample policy based implementation and it pretty much covers simple Uri based scenario where it verifies if user is authorized to see certain Uris based claims assigned to him.

Another sample implementation can be found here.

I guess this is more than enough from the introduction point of view, in the next part I will cover Policy based authorization with XACML and a sample implementation based on XACML.NET.


About cprakash

A developer, passionate about .Net, Architecture and Security.
This entry was posted in Security, WIF. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s