For some years now, I’ve heard Kim Cameron and others at Microsoft talk about "how claims will change everything" in so many different presentations, and to be frank, I didn’t get it. Neither the claims, nor the change or the everything part.

So this week, I came across the Microsoft Identity Software and Services Roadmap document, which features the following snippet of code to determine the role of a user with the .NET Geneva framework:

IClaimsIdentity caller = Thread.CurrentPrincipal.Identity
                         as IClaimsIdentity;
string Role = (from c in caller.Claims
               where c.ClaimType == MyClaimTypes.Role
               select c.Value).Single

Let me paraphrase what the paper and the code snippet says:

Dear developer, don’t worry about where identity information comes from to your application, which protocols and formats carried the data, whether passwords or smart cards or other forms of authentication were used.

You don’t need to worry because we give you a very simple API, consisting of: An object that represents the current user of your application. That’s it. You find out all you ever wanted to know about this user simply by iterating over its attributes (aka claims). We do the hard part in moving and converting data around, so it is simply for you.

Now that is a value proposition, particularly to developers. I would have called it "At Microsoft will give you the simplest possible API into identity information that you can think of, so you don’t have to worry about it" instead of "how claims change everything", but regardless, it is now making sense to me!

And admittedly, that is a good API. How long it will take until it is being populated from all these different sources we’ll have to see, but I like the design.

P.S.: I’d love to see that Microsoft also made this work for OpenID, not just for WS-* and SAML. The article implies that eventually they might, but is not very firm on it.