When using federated authentication, the identity provider solely decides what claims to use to populate the incoming identity. If using multiple identity providers there is very high probability that they will present the same information in somewhat different ways. That’s where the ClaimsAuthenticationManager fits in. It works as a translation filter that can modify or replace the incoming identity as soon as it has been constructed from the incoming authentication response.

You can implement a ClaimsAuthenticationManager by creating a class derived from the System.Security.Claims.ClaimsAuthenticationManager class.

Then register it with a <claimsAuthenticationManager> element in the configuration if the configuration is loaded from the config file. If the configuration is done in code (typically for the OWIN middleware) the ClaimsAuthenticationManager should be registered in Options.SPOptions.SystemIdentityModelIdentityConfiguration.ClaimsAuthenticationManager.

Single Logout

If you are using Single Logout, you need to make sure that the claims containing the Saml2 logout information are present in the returned identity. The types of the claims are available in Saml2ClaimTypes.SessionIndex and Saml2ClaimTypes.LogoutNameIdentifier.