Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can NameIdentifier and IdentityProvider (WIF) claims be used to uniquely identify any user?

Thinking of using Access Control Service (ACS) and Windows Identity Foundation (WIF) to secure my WCF Data Services Web API application.

How can I use claims to uniquely identify a user?

My idea is to use the combination of the standard claim NameIdentifier and the WIF claim IdentityProvider combined to create a unique ID for any user.

Is this combo truly stable and unique? Could an IP suddenly change it's IdentityProvider string?

The idea here is to store the concatenated string of the two halves as a unique ID for any user.

Does the NameIdentifier claim have any security implications?

Cheers,

M.

like image 984
noopman Avatar asked Apr 19 '11 07:04

noopman


2 Answers

This seems reasonable. Note that nameidentifier is IdP specific, meaning it is supplied by the identity provider you authenticated with (e.g. LiveID, Google, etc). ACS is simply copying this value into a claim. Check with each one of those providers to see what guarantees they make. My assumption is that they should not change for a "returning user" -> someone who posseses the same username/Password.

People often use e-mail addresses as well. When available, you might want to correlate it too as an extra measure.

like image 191
Eugenio Pace Avatar answered Nov 11 '22 07:11

Eugenio Pace


Justin Smith mentioned this in his MIX11 talk (see slide 22, 28 minutes into the talk) - it was my understanding that ACS gives you the nameidentifier and the IdP name. You take the tuple together and it should be good for unique id.

like image 2
Rob Avatar answered Nov 11 '22 08:11

Rob