Archive

Posts Tagged ‘ClaimsIdentity’

PowerShell: Working with System.Security.Claims.ClaimsIdentity to manage user identity

April 12, 2019 Leave a comment

System.Security.Claims.ClaimsIdentity is the .Net class that helps management of a claims based user identity using which you can add claims to a .Net application for more granular user control based on the user claims provided by the issuer in your application.

MSDN Link to class documentation:
https://docs.microsoft.com/en-us/dotnet/api/system.security.claims.claimsidentity?view=netframework-4.7.2

For example…
1. switch the UI to a different view if role of user logged in is the company CEO.
2. switch site theme based on users favorite color.
3. switch site locale based on user country or show a customized greeting.
4. restrict access to site based on user age.
5. etc…

Here is a short script to assign claims to the current thread principal and verify user claims using PowerShell.

# Add assembly for displaying message box
Add-Type –AssemblyName System.Windows.Forms

# Claims
$claims = New-Object System.Collections.Generic.List[System.Security.Claims.Claim]

# Add claims to claims list
$claims.Add(((New-Object System.Security.Claims.Claim([System.Security.Claims.ClaimTypes]::Email, "nibu.bt@gmail.com"))))
$claims.Add(((New-Object System.Security.Claims.Claim("WebSite", "http://ntcoder.com"))))
$claims.Add(((New-Object System.Security.Claims.Claim("Primary Skill", "C++"))))
$claims.Add(((New-Object System.Security.Claims.Claim([System.Security.Claims.ClaimTypes]::Country, "India"))))
$claims.Add(((New-Object System.Security.Claims.Claim([System.Security.Claims.ClaimTypes]::Role, "CEO"))))


# Instantiate claims identity object
$cid = New-Object System.Security.Claims.ClaimsIdentity($claims, [System.Security.Claims.AuthenticationTypes]::Password)

# Assign principal
[System.Threading.Thread]::CurrentPrincipal =  New-Object System.Security.Claims.ClaimsPrincipal($cid)

Write-Host "Current Thread Principal: " -NoNewline
[System.Threading.Thread]::CurrentPrincipal | Select-Object -ExpandProperty Claims | Select-Object Issuer, Type, value | Format-Table -AutoSize

# Write authentication status
Write-Host "Authenticated: $($cid.IsAuthenticated)"

$tp = [System.Threading.Thread]::CurrentPrincipal

# Check if user is CEO, if yes then display a messagebox, check above role that we added 
if($tp.IsInRole("CEO"))
{
    $null = [System.Windows.Forms.MessageBox]::Show("Welcome CEO, opening CEO view...", "User", [System.Windows.Forms.MessageBoxButtons]::OK,[System.Windows.Forms.MessageBoxIcon]::Information)
}

# Check country of user, if India then display an Indian greeting message.
if($tp.HasClaim([System.Security.Claims.ClaimTypes]::Country, "India"))
{
    $null = [System.Windows.Forms.MessageBox]::Show("Namaskar!", "Greetings!", [System.Windows.Forms.MessageBoxButtons]::OK,[System.Windows.Forms.MessageBoxIcon]::Information)
}


Script output follows...

PS C:\> c:\NibuRoot\Powershell\powershellsnips\Claims.ps1
 Current Thread Principal:
 Issuer          Type                                                               Value
 ------          ----                                                               -----
 LOCAL AUTHORITY http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress email@gmail.com
 LOCAL AUTHORITY WebSite                                                            http://ntcoder.com
 LOCAL AUTHORITY Primary Skill                                                      C++
 LOCAL AUTHORITY http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country      India
 LOCAL AUTHORITY http://schemas.microsoft.com/ws/2008/06/identity/claims/role       CEO

 Authenticated: True

Categories: .net, PowerShell, WindowsIdentity Tags: , , , ,