/// <summary>
/// This method returns the content of the issued token. The content is represented as a set of
/// IClaimIdentity intances, each instance corresponds to a single issued token.
/// </summary>
/// <param name="scope">The scope that was previously returned by GetScope method.</param>
/// <param name="principal">The caller's principal.</param>
/// <param name="request">The incoming RST.</param>
/// <returns></returns>
protected override IClaimsIdentity GetOutputClaimsIdentity(IClaimsPrincipal principal, RequestSecurityToken request, Scope scope)
{
// Create new identity and copy content of the caller's identity into it (including the existing delegate chain)
IClaimsIdentity callerIdentity = (IClaimsIdentity)principal.Identity;
IClaimsIdentity outputIdentity = callerIdentity.Copy();
// There may be many GroupSid claims which we ignore to reduce the token size
// Just select the PrimarySid and Name claims for the purpose of this sample
Claim[] claims = (from c in outputIdentity.Claims
where c.ClaimType == ClaimTypes.PrimarySid || c.ClaimType == ClaimTypes.Name
select c).ToArray <Claim>();
outputIdentity.Claims.Clear();
outputIdentity.Claims.AddRange(claims);
// If there is an ActAs token in the RST, return a copy of it as the top-most identity
// and put the caller's identity into the Actor property of this identity.
if (request.ActAs != null)
{
IClaimsIdentity actAsSubject = request.ActAs.GetSubject()[0];
IClaimsIdentity actAsIdentity = actAsSubject.Copy();
// Find the last actor in the actAs identity
IClaimsIdentity lastActor = actAsIdentity;
while (lastActor.Actor != null)
{
lastActor = lastActor.Actor;
}
// Set the caller's identity as the last actor in the delegation chain
lastActor.Actor = outputIdentity;
// Return the actAsIdentity instead of the caller's identity in this case
outputIdentity = actAsIdentity;
}
return(outputIdentity);
}
