i'm new to claims based security. I understand the premise but have some questions regarding the token.
From what I understand, the token will carry all of the claims for a given user, and that different systems will use different claims to determine authorization to a system. On this point I have several questions;
1) Does this mean that the STS is aware of all claims for all systems? Does this not mean the token could become gargantuan in size? Or does the token only carry the claims as needed by the relying party requesting the authentication?
2) Should claims be leveraged to determine fine grained access to a system, or are relying parties expected to maintain a separate means of tracking permissions?
I have a system with 100's of different user permissions. In trying to move to a claims based solution, the missing piece for me is, are all of the permissions meant to be managed by the STS and provided in the token? Or, do I use the token to authenticate the user, then manage permissions myself? Or perhaps some inbetween?
Help and guidance would be appreciated!
Kind regards TheMistry