Sorry for the long question, trying to get all my points across!
I have been spending a considerable amount of time researching how to update our existing Identity and Access Management scheme to a more modern platform that solves a number of business and compliance requirements we have especially from ISO27001 perspective.
I have two primary goals to achieve: 1) Be able to report on what business operations/tasks can a user perform? 2) Be able to monitor in real time or through historical reports what a user is doing/has done?
We currently use a mixture of custom authentication and authorisation (using SQL back end for both) and AD Domain services for Authentication and AD group membership / role demand for authorisation.
I propose we use AD Domain Services for Authentication across all our software but from a claims based perspective with ADFS 2.0 as our STS server. We can then start leveraging claims within our applications and for those using role demands, they will still continue to work.
I am pretty happy with all of the above however we want to use a more granular entitlement management / authorisation scheme and therefore I want to use a ClaimsAuthorizationManager for the decision and enforcement point.
Problem is that WIF does not implement a concrete version, the developer is left entirely to their own choices with no guidance. I cannot find a single example of anything approaching something fit for business.
I am therefore looking for any advice on how to architect a enterprise class authorisation scheme that works in a similar way to AzMan or NetSqlAzMan. I suggest a generic simple ClaimsAuthorizationManager class that each application can use. This class calls into a shared WCF service which in turn uses a SQL back end to store business operations/tasks and the entitlements users have on these. The user objects woudl be synced from AD so that AD is providing authentication, claims and my custom system is providing authorisation rules. This service being centralised and singular helps with my first goal.
This system would log each request which will help with the second of my initial goals.
Any advice, examples or help much appreciated.
You are right - since AuthZ is so application specific - Microsoft did not provide any concrete implementations.
You already seem to have very specific ideas how that should work. Why don't you build such a sample and open source it - so you can gather feedback and maybe improve it based on that?