When using federated authentication the identity provider solely decides what
claims to use to populate the incoming identity. If using multiple identity
providers there is very high probability that they will present the same
information in somewhat different ways. That's where the
ClaimsAuthenticationManager
fits in. It works as a translation filter
that can modify or replace the incoming identity as soon as it has been
constructed from the incoming authentication response.
Implement a ClaimsAuthenticationManager
by creating a class derived from the
System.Security.Claims.ClaimsAuthenticationManager
class.
Then register it with a
<claimsAuthenticationManager>
element in the configuration if the configuration is loaded from the config file.
If the configuration is done in code (typically for the OWIN middleware) the
ClaimsAuthenticationManager
should be registered in
Options.SPOptions.SystemIdentityModelIdentityConfiguration.ClaimsAuthenticationManager
.
If you are using Single Logout, you need to make sure that the claims containing
the AuthServices logout information are present in the returned identity. The
types of the claims are available in AuthServicesClaimTypes.SessionIndex
and
AuthServicesClaimTypes.LogoutNameIdentifier
.