Share via


Identity Delegation and Security Context Flow Through Physical Tiers

This post lists solution approaches for flowing identity and security context through physical tiers in distributed applications.
Use this as your decision map when deciding how to implement identity flow through physical tiers when implementing on-premise, cloud, and hybrid solutions.

Enabling technologies

Impersonation

In this scenario:

  • Identities are managed by Active Directory.
  • Original caller is authenticated by Active Directory
  • Resources of the server needed to be accessed by the original identity – one hop.

image source

impersonation

Solution:

Windows delegation

In this scenario:

  • Identities are managed by Active Directory.
  • Original caller is authenticated by Active Directory
  • Resources of the downstream server needed to be accessed by the original identity – multiple hops.

image source

delegation

Solution:

Protocol transition

In this scenario:

  • Identities are managed by Active Directory
  • Original identity authentication by proprietary authentication mechanism.
  • Resources of the downstream server needed to be accessed by the original identity – multiple hops.

image source.

image

Solution:

Claims and ActAs

In this scenario:

  • Identity is managed by Identity Provider.
  • Original caller is authentication by Security Token Service (STS)
  • ActAs is for delegation. Final recipient has details about immediate client and the original requestor.

image source

identity delegation

Solution:

Claims and OnBehalfOf

In this scenario:

  • Identity is managed by Identity Provider.
  • Original caller is authentication by Security Token Service (STS)
  • OnBehalfOf is for impersonation. Final recipient has no clue about the original requestor.

Claims and OAuth 2.0

In this scenario:

  • Identity is managed by Identity Provider.
  • Original caller is authentication by Security Token Service (STS)
  • Token is issued by OAuth 2.0 Authorization Server
  • Identity flow requires consent of the end user
  • Protected resource is RESTful web service

OAuth 2.0 delegation

Solution: