Identity Tags

Identity tags are labels that you can optionally create to 'tag' authenticated users for later reference. It is a means to differentiate between identities that are not known at policy design time.
gateway83
Identity tags are labels that you can optionally create to 'tag' authenticated users for later reference. It is a means to differentiate between identities that are not known at policy design time.
Background
Without using identity tags, the identity assertions involving group membership cannot authenticate multiple users within the same policy (when identified by the same Group or Identity Provider). Consider the following example:
Request: WSS Signature  (Gathers credentials)
Request: Group Membership: SampleGroup (Authenticates the user and checks that the user is a member of the group "SampleGroup")
Request: Group Membership: SampleGroup (Checks that the user is a member of "SampleGroup" but does not reauthenticate)
When identity tags are used, it is possible to authenticate multiple times for a single group or identity provider:
Request: WSS Signature (Gathers credentials)
Group Membership: SampleGroup as "tag1" (Authenticates user as "tag1" and checks for membership in group "SampleGroup")
Group Membership: SampleGroup as "tag1" (Checks that "tag1" is a member of group but does not re-authenticate)
Group Membership: SampleGroup as "tag2" (Authenticates user as "tag2" and checks for membership in group "SampleGroup")
In the example above, the identity tags "tag1" and "tag2" are used to distinguish between the two identities even though the specific identities involved are not known at the time the policy was created.
 
(1) It is not necessary to create identity tags unless multiple signatures are present in a message and you wish to use a tag to specify a target identity (versus selecting an explicit identity). (2) Once an identity tag is used for authentication, the regular identity (e.g., "User: bob") is no longer available to be selected as a target identity.
 
Signing credential sources (for example the Require Encrypted UsernameToken Profile Credentials, Require SAML Token Profile, Require WS-Secure Conversation, Require WS-Security Kerberos Token Profile Credentials assertions) also support identity tags. If the policy includes those credential sources along with an identity assertion, the identity tag will be used for a target identity when verifying signatures in the target message.
To create an identity tag
:
  1. Add an identity assertion to a policy: either Authenticate User or Group or Authenticate Against Identity Provider.
  2. Right-click the identity assertion and select 
    Identity Tag
     from the context menu. The Change Identity Tag dialog is displayed.
  3. Enter a name for the identity tag. The name may include letters numbers and the characters: ' _-.,' (the space character is permitted). Identity tags are not case sensitive, so the tag 'ABC' is the same as 'abc'.
    There is no limit to the length of the tag, but for practical purposes it is best to keep the tag name short.
  4. Click [
    OK
    ]. The identity tag is appended to the end of the assertion name in the policy tree: "... as <Identity_Tag>". For example:
    User: Alice [
    Internal Identity Provider
    ] as "First_User, internal"
When you create an identity tag here, it can be later used to indicate the signing identity when multiple signatures are in effect. For more information, see Select a Target Identity.
To edit or remove an identity tag
:
  1. Right-click an identity assertion in the policy window and then select 
    Identity Tag
    .
  2. Edit the tag as necessary or clear the 
    Identity Tag
     field to delete the tag.
  3. Click [
    OK
    ]. The tag is updated/removed in the policy window.