Windows® Identity Foundation (WIF) offers functionalities to help you build claims-aware clients. The following diagram shows how a client interacts with a relying party and STS:
- A client request arrives at the RP application. This request
requires the RP application to access an external resource. To do
this, the RP application must impersonate the user.
- The RP application redirects the client to the IP-STS for
- The IP-STS authenticates the user and issues a SAML token that
contains a UPN claim (that is, a claim of type
- The client submits the SAML token to the RP application.
- The RP application validates the SAML token and extracts the
- The RP application passes the UPN claim to the UpnLogon
method as a parameter and gets back a Windows security token. This
method call is automatically done by the Saml 1.1 and Saml 2
SecurityTokenHandlers when the mapToWindows property on the
SamlSecurityTokenRequirement on these SecurityTokenHandlers is set
to true and the value of useWindowsTokenService on the
<windowsClaimsIdentity> element in the
<microsoft.IdentityModel> is set to true.
- The RP application uses the Windows Identity to impersonate the
user and accesses the resource.
This section contains topics that discuss the WIF client.