High Assurance Claims-Based Authentication of Consumers
An excellent description of claims-based identity, and its implementation using Microsoft platforms, can be found here.
In a nutshell, claims-based identity works as follows to deliver identity claims to a relying party:
- The subject visits the website of a Service Provider to request an identity-dependent service. Since the Service Provider will rely on an identity claim issued by an Identity Provider, the Service Provider is also known as a Relying Party.
- The Relying Party sends a message to the subject's selector or client (on the subject's computer) that contains criteria (called a "policy") for the types of claims it will accept about the subject, including information that allows the selector/client to determine which Identity Providers are trusted by the Relying Party.
- The selector/client determines whether there are any Identity Providers trusted by the Relying Party that can satisfy the Relying Party's policy for identity claims. If so, the corresponding Identity Providers are highlighted in the subject's browser. The subject selects a highlighted Identity Provider.
- The selector/client triggers a request message to be sent to the corresponding Identity Provider to generate a token containing the identity claim.
- The subject must authenticate to the Identity Provider, using an appropriate authentication technology, to provide high assurance that the claims carried by the token actually pertain to the subject.
- The STS generates a token
carrying the claims, which is passed through the subject's computer and
back to the Relying Party.
- The Relying Party provides the requested service.
Electronic tokens issued by Identity Providers are digitally signed, so that the Relying Party can verify the entity that issued the token.