I'm working on a project which uses Active Directory for user information, ADFS for Authentication and SSO, and several custom applications all built with ASP.NET MVC.

The authorization model is claims and role-based; that is, a user's roles are accessible as claims to the relevant application, via tokens issued by ADFS (using WIF).

Each role has a defined list of permissions against the applications' various resources (i.e. the role Admin has WRITE permission against resource X). We have the basic authorization model working well with some hardcoded permissions.

My question is: what is the best way / place to store the actual permissions for the various roles? Can this be done within ADFS or will a separate store be needed (I'm guessing the latter)? The permissions follow the same broad pattern as XACML (user/role:resource:action) and a XACML solution would probably be easy to incorporate, but the most popular .NET implementation of XACML (XACML.NET) seems to use XML as the only storage mechanism which isn't going to be viable (we have a lot of resources to store permissions against - potentially thousands).

What do people use for this? The most obvious solution seems to be to just store the triplets in SQL Server but considering all the ready-built solutions for authentication (especially using ADFS and WIF) it seems odd that there's so little (obvious) information for actually implementing authorization and permissions. All the examples I've found online stop short of explaining things at the permissions level.

ADFS is frequently a shared infrastructure component. The problem with moving app specific knowledge to it (like app specific permissions) is that in could become an admin bottleneck over time. Ask yourself: who is going to to manage those permissions over time? will you have to submit a form for somebody to approve? That is likely to be a problem. It would work, but it will be a hassle.

In general, ADFS should supply cross app attributes that everybody can benefit from (e.g. all AD based attributes, corporate wide attributes, HR related information, are good examples).

Of course you could have ADFS pull data from a database that is managed in a distributed way.

In some cases, people deploy an app specific STS (often called an "RP-STS") that transforms the token into something the app (or group of app) expects. SharePoint does this for example.

The easiest thing would be to store the permissions in SQL Server and just use a custom SQL Server attribute store in ADFS to retrieve the values.

You could do some logic with claims rules, but there really isn't a good place to store anything of this sort in ADFS itself.