What is issuer/issuer claim in security manner?

Question

I'm new to security manner and .NET security manner. I see a lot about the claims, and issuer, etc but I feel confused about the definition.

In easy English, what is claim? And what is an issuer/original issuer in claim?

Answer 1

Sometimes it helps to look up the words in a dictionary. A technical term is selected because it in some way is linked to the original meaning of the word. This is obvious to a native English speakers but not always so obvious to non-native English speakers like myself.

Claim is a demand for or an assertion of a right. You can claim payment for a service or claim a property by inheritance.

Within security, claim is a statement about who you are, what you have the right to or what you are capable of (or the statement could be about a user or another subject).

The verb to issue is to publish or give something out. An issuer is an institution that issues something.

Technically an issuer is a service that you authenticate with and in return it will issue security tokens. These tokens contain claims.

To give an example: If I log into a Windows Active Directory the issuer is the active directory. When I have been authenticated with the active directory a security token is issued and within this token there are claims about my user name and what security groups I belong to.

Sometimes an issuer will issue new claims based on existing claims. E.g., if you log in to a web site using your Google account then the web site can issue claims about your identity. Some of these claims could originate from Google (like your e-mail address) and then the original issuer would be Google and not the web site (which is the issuer of the claim).

There are in depth information about this subject in A Guide to Claims-Based Identity and Access Control (2nd Edition) on MSDN.