WIF - managing domain specific authorization
I have a Windows Identity Foundation based infrastructure with a Custom STS with its own database. The STS authenticates users. The database also contains various Authorisation related claims about users. We add these claims after the user has been authenticated and just before WIF serializes the ClaimsIdentity into the Saml Token and posts it over to the Relying party sites. We have 5 Relying Party sites (and the number may grow).
This has meant that the number of claims and ultimately the size of the auth cookie has grown - as I need to satisfy the domain specific authorisation for each RP. As a result, each request carries around a bloated cookie with some claims that are not relevant to some of the sites. Which I don't like.
Is there a better pattern for managing domain specific authorization claims within a (WIF/WS-Federation) federated authentication architecture?
You should look into claims transformation (ClaimsAuthenticationManager) -- it allows the RP to augment the claims presented to the RP. The idea is that the STS provides only a small set of claims and then the RP adds it's RP specific stuff from its database.
Please look at Authorization server. It might be what you are looking for.