Claims-based identity

Claims based identity is a common method used by applications to obtain identity information about a user that another application has authenticated. Under this model, Specops uReset authorizes a password reset based on claims, which are packaged into security tokens, issued by identity providers.


Identity Provider (IdP): An identity provider is a type of claims provider that provides single sign-on functionality between an organization and other claims providers and relying parties.

Claim: A statement that one subject makes about itself or another subject. For example, the statement can be about a name, identity, key, group, privilege, or capability. Claims are issued by a provider, and they are given one or more values and then packaged in security tokens that are issued by a security token service (STS). They are also defined by a claim value type and, possibly, associated metadata.

Security Token: An on-the-wire representation of claims that is cryptographically signed by the issuer of the claims, providing strong proof to any relying party as to the integrity of the claims and the identity of the issuer.

Security Token Service (STS): The role of the STS is to issue security token(s) which contains claims about the authenticated user.

Relying Party: If the token comes from a trusted STS, the relying party authorizes the user by verifying that the claims in the token fulfill a policy to execute the action requested by the user.

Federation trust: An important component of Claims Based Identity is the concept of federation trust. A federation trust is an agreement between two parties. It allows one party to leverage the existing infrastructure of the other to authenticate with username, password, or smart cards.

The Specops uReset implementation

The underlying technology platform is based on the Windows Federation Trust Claims Based Identity Model. As a claims based service, Specops uReset relies on Security Token Services (STSs), to verify user identity. An STS is a software based identity provider that issues security tokens which contain claim(s) – piece(s) of identity information – as part of the claims based identity process.

When a user initiates a password reset or account unlock with any of the supported identity services in Specops uReset, for example Salesforce, a token containing claim(s) about the user will be generated by the Salesforce STS. The uReset Security Token Service will collect and pass the token to the uReset Server. The uReset Server will verify the token signature and confirms the user’s identity by communicating with the uReset Gatekeeper. The Gatekeeper will look up the unique identifier stored in the user’s sub-object in Active Directory to validate the user. If the token signature is valid, the user is authenticated against Active Directory. If a user fulfills their uReset Policy, they are authorized to perform a password reset or account unlock.