ClaimsAuthenticationManager Class

.NET Framework (current version)

Defines the base implementation for a claims authentication manager. The claims authentication manager provides a place in the claims processing pipeline for applying processing logic (filtering, validation, extension) to the claims collection in the incoming principal before execution reaches your application code.

Namespace:   System.Security.Claims
Assembly:  System.IdentityModel (in System.IdentityModel.dll)


public class ClaimsAuthenticationManager : ICustomIdentityConfiguration


Initializes a new instance of the ClaimsAuthenticationManager class.

System_CAPS_pubmethodAuthenticate(String, ClaimsPrincipal)

When overridden in a derived class, returns a ClaimsPrincipal object consistent with the requirements of the RP application. The default implementation does not modify the incoming ClaimsPrincipal.


Determines whether the specified object is equal to the current object.(Inherited from Object.)


Allows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection.(Inherited from Object.)


Serves as the default hash function. (Inherited from Object.)


Gets the Type of the current instance.(Inherited from Object.)


When overridden in a derived class, loads custom configuration from XML.


Creates a shallow copy of the current Object.(Inherited from Object.)


Returns a string that represents the current object.(Inherited from Object.)

The claims authentication manager provides an extensibility point in the application’s claims processing pipeline that you can use to validate, filter, modify, incoming claims or inject new claims into the set of claims presented by a ClaimsPrincipal before the RP application code is executed. You can even return a custom implementation of ClaimsPrincipal if your RP application requires it. The default implementation provided by the ClaimsAuthenticationManager class returns the claims in the ClaimsPrincipal unmodified; however, you can derive from this class and override the Authenticate method to modify the claims in the ClaimsPrincipal (or to return a custom ClaimsPrincipal).

A typical reason for creating a custom claims authentication manager is to add, remove, or transform claims based on information that is only known by or is, perhaps, better maintained by the RP application. For example, a history of customer purchases in a shopping cart application might be kept in a data base maintained by the RP application and then added to the claims principal returned by the claims authentication manager based on the value of a name claim found in the incoming principal.

You can configure your application to use a ClaimsAuthenticationManager either programmatically by using the IdentityConfiguration class or in configuration through the <claimsAuthenticationManager> element (which is a child element of the <identityConfiguration> element). You can override the LoadCustomConfiguration method to provide processing for custom child elements of the <claimsAuthenticationManager> element through which your custom manager can be configured. The base implementation of ClaimsAuthenticationManager does not handle any child elements.

Configuring your application to use a claims authentication manager ensures that it will be invoked by Windows Identity Foundation (WIF) from the request pipeline.

The following code shows a simple claims authentication manager that adds a role claim to the incoming principal without performing any check on the incoming claims..

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

using System.Security.Claims;

namespace MyClaimsAuthenticationManager
    class SimpleClaimsAuthenticatonManager : ClaimsAuthenticationManager
        public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
            if (incomingPrincipal != null && incomingPrincipal.Identity.IsAuthenticated == true)
                ((ClaimsIdentity)incomingPrincipal.Identity).AddClaim(new Claim(ClaimTypes.Role, "User"));
            return incomingPrincipal; 

The following XML shows the <claimsAuthenticationManager> element.

    <claimsAuthenticationManager type="MyClaimsAuthenticationManager.SimpleClaimsAuthenticatonManager, MyClaimsAuthenticationManager" />



.NET Framework
Available since 4.5

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Return to top