/// <summary> /// This method returns the content of the issued token. The content is represented as a set of /// IClaimIdentity intances, each instance corresponds to a single issued token. /// </summary> /// <param name="scope">The scope that was previously returned by GetScope method.</param> /// <param name="principal">The caller's principal.</param> /// <param name="request">The incoming RST.</param> /// <returns></returns> protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope) { // Create new identity and copy content of the caller's identity into it (including the existing delegate chain) IClaimsIdentity callerIdentity = (IClaimsIdentity)principal.Identity; IClaimsIdentity outputIdentity = callerIdentity.Copy(); // There may be many GroupSid claims which we ignore to reduce the token size // Just select the PrimarySid and Name claims for the purpose of this sample Claim[] claims = (from c in outputIdentity.Claims where c.ClaimType == ClaimTypes.PrimarySid || c.ClaimType == ClaimTypes.Name select c).ToArray <Claim>(); outputIdentity.Claims.Clear(); outputIdentity.Claims.AddRange(claims); // If there is an ActAs token in the RST, return a copy of it as the top-most identity // and put the caller's identity into the Actor property of this identity. if (request.ActAs != null) { IClaimsIdentity actAsSubject = request.ActAs.GetSubject()[0]; IClaimsIdentity actAsIdentity = actAsSubject.Copy(); // Find the last actor in the actAs identity IClaimsIdentity lastActor = actAsIdentity; while (lastActor.Actor != null) { lastActor = lastActor.Actor; } // Set the caller's identity as the last actor in the delegation chain lastActor.Actor = outputIdentity; // Return the actAsIdentity instead of the caller's identity in this case outputIdentity = actAsIdentity; } return(outputIdentity); }