security - Unique identifying a user after federated Authentication -


i have started experimenting wif new application i'm writing. far have managed localsts working , setup web.config enable federated authentication against localsts. plan use localsts , worry implementing custom sts later.

i use federated authentication authenticate user, , once authenticated, authorize them perform various actions internally. so, sts authenticate, , application authorize internally.

to this, need store authorized actions each user (possibly hundreds of unique actions) in app database, , read , cash them once user starts new session.

what wondering is, how map user authenticated using federated authentication unique user id exists in db, while still keeping application agnostic sts use (be adfs, open auth etc.)?

nameidentifier token seems candidate, read saml 2 replaces different token.

am approaching wrong way? missing something?

any appreciated.

name candidate email, upn or "unique number" good. point - there no ultimate candidate.

i think if concern remain agnostic, should rather consider defining sts rp "the address of sts endpoint , set of claims used match users".

this way sts1 defined "https://sts1.blah" , "username claim" sts2 "https://sts2.blah" , "email".

after few years of experience see such approach possibility because different stses offer different claims , there no "one claim guaranteed occur always".

having said that, of times assume sts return @ least username or email , rp can trust this. simplifies matching of users @ rp side.


Comments

Popular posts from this blog

java - Jmockit String final length method mocking Issue -

What is the difference between data design and data model(ERD) -

ios - Can NSManagedObject conform to NSCoding -