IIdentity is just used for the user’s authenticated identity, regardless of what roles they may have.
IPrincipal is used to combine a user’s identity with the authorized roles they have in a given security context.
For example, you can use a third-party login provider, like Facebook or Google, to get the user’s identity, but you will not get a principal from those providers, as they don’t provide any roles. You can use your own application or a third-party role-based authorization provider to apply roles to, say, a FacebookIdentity or GoogleIdentity. A different application can expect a different principal, with its own roles, but still use the same identity as in another application.