Windows® Identity Foundation (WIF) offers functionalities to help you build claims-aware clients. The following diagram shows how a client interacts with a relying party and STS:

  1. A client request arrives at the RP application. This request requires the RP application to access an external resource. To do this, the RP application must impersonate the user.

  2. The RP application redirects the client to the IP-STS for authentication.

  3. The IP-STS authenticates the user and issues a SAML token that contains a UPN claim (that is, a claim of type

  4. The client submits the SAML token to the RP application.

  5. The RP application validates the SAML token and extracts the UPN claim.

  6. The RP application passes the UPN claim to the UpnLogon method as a parameter and gets back a Windows security token. This method call is automatically done by the Saml 1.1 and Saml 2 SecurityTokenHandlers when the mapToWindows property on the SamlSecurityTokenRequirement on these SecurityTokenHandlers is set to true and the value of useWindowsTokenService on the <windowsClaimsIdentity> element in the <microsoft.IdentityModel> is set to true.

  7. The RP application uses the Windows Identity to impersonate the user and accesses the resource.

This section contains topics that discuss the WIF client.

  1. WSTrustChannelFactory and WSTrustChannel

  2. Built-in Bindings Overview