In a claims based architecture a service provider (relying party) can delegate complex identity management and user authentication tasks to a trusted identity provider. The identity provider will issue security tokens to the relying party. A security token is a collection of claims. A claim is an assertion on the attribute of an entity. A securable entity is a user, application or service ID which makes service requests, where each entity possesses one or more attributes.
Authentication is the proof an entity is what it claims to be. Authorisation provides accessed to authorised entities to access service provider functions based on the claims within said entity. Trust relationships link service provider(s) with an identity provider(s). Establishing multiple trusts can facilitate Single Sign On (SSO) by using a central identity provider to gain access to functions of multiple service providers.
Azure Active Directory is an example of an identity provider with the following features:
- Uses standard protocols including SAML 2.0, WS-Federation, OpenID Connect (in place of protocols used in an on-premise AD such as Kerberos and LDAP)
- Multi-factor authentication
- SaaS application management, e.g. Office 365, Intune
- Application proxy for remote access to on-premise services
- Restful Graph API to directly interact with Azure AD objects, perform operations and carry out RBAC checks
- Client libraries such as Azure AD Graph Client Library and ADAL for application development
- Free, Basic and Premium tiers with a SLA of 99.9%