Windows® Identity Foundation (WIF) provides design-time controls and the WS-Federated Authentication Module (WS-FAM) programming model to enable ASP.NET developers to accept tokens from the caller of an ASP.NET page. These tokens contain information about the caller, which WIF exposes to the developer as claims. This topic shows how to access these claims.
To Access the Claims
In order to access identity related information, you can run FedUtil. For more information, see Establishing Trust from an ASP.NET Relying Party Application to an STS using FedUtil. Once you have run FedUtil, your application can access IClaimsPrincipal and IClaimsIdentity using the standard ASP.NET constructs as shown in the following code example:
 Copy Code |
|
|---|---|
void Page_Load(object sender, EventArgs e)
{
// Cast the Thread.CurrentPrincipal
IClaimsPrincipal icp = Thread.CurrentPrincipal as IClaimsPrincipal;
// Access IClaimsIdentity which contains claims
IClaimsIdentity claimsIdentity = (IClaimsIdentity)icp.Identity;
// Access claims
foreach(Claim claim in claimsIdentity.Claims)
{
}
}
|
|
To Enumerate a User’s Claims
Once you have access to IClaimsIdentity, you can enumerate the claims by iterating through its claims collection. The following code sample shows all claim properties (that is, claim types, claim values, and claim value types) that WIF extracts from the incoming security token. Also, see the Getting Started/Simple Claims Aware Web Application sample in the sample directory.
 Note: |
|---|
| Do not use the following sample code in production. In production code, you should carefully consider the security implications of displaying the properties of claims to clients. For example, you should consider accepting only the claim types that are expected by relying party applications, sanitizing the claim properties before you use them, and filtering out claims that contain sensitive personal information. |
| Copy Code |
|
|---|---|
void Page_Load(object sender, EventArgs e)
{
// Cast the Thread.CurrentPrincipal
IClaimsPrincipal icp = Thread.CurrentPrincipal as IClaimsPrincipal;
// Access IClaimsIdentity which contains claims
IClaimsIdentity claimsIdentity = (IClaimsIdentity)icp.Identity;
// Access claims
foreach(Claim claim in claimsIdentity.Claims)
{
Response.Write(claim.ClaimType) + "<BR>";
Response.Write(claim.Value) + "<BR>";
Response.Write(claim.ValueType) + "<BR>";
}
}
|
|
To Access a Specific Claim
Once you have access to IClaimsIdentity, you can access a specific claim by looking for a given claim-type in the Claims collection. You can do this either by iterating through the claims in the collection or by using LINQ.
The following code sample shows how to do this by iterating through the claims in the collection.
| Copy Code |
|
|---|---|
void Page_Load(object sender, EventArgs e)
{
// Cast the Thread.CurrentPrincipal
IClaimsPrincipal icp = User as IClaimsPrincipal;
// Access IClaimsIdentity which contains claims
IClaimsIdentity claimsIdentity = (IClaimsIdentity)icp.Identity;
// Access claims
foreach(Claim claim in claimsIdentity.Claims)
{
if(claim.ClaimType == "http://GenevaFramework/AgeClaim")
{
Response.Write("Age Claim: " + claim.Value);
break;
}
}
}
|
|
The following code sample shows how to do this by using LINQ.
| Copy Code |
|
|---|---|
void Page_Load(object sender, EventArgs e)
{
// Cast the Thread.CurrentPrincipal
IClaimsPrincipal icp = User as IClaimsPrincipal;
// Access IClaimsIdentity which contains claims
IClaimsIdentity claimsIdentity = (IClaimsIdentity)icp.Identity;
// Access claim
string ageClaimValue;
try {
ageClaimValue = ( from c in claimsIdentity.Claims
where c.ClaimType == "http://GenevaFramework/AgeClaim"
select c.Value ).Single();
}
catch (InvalidOperationException)
{
ageClaimValue = "Age claim wasn’t found or " +
"there were more than one Age claims provided";
}
Response.Write("Age Claim: " + ageClaimValue);
}
|
|