ADFS claims consolidation from different issuers
I hope I understand the claims concept in general now after reading related articles on ADFS, certificates used for claims token signing etc. But here is what strange for me:
Claims are so abstract that in general form are basically useless for anything other than authentication. There is no fixed data which claims must contain and I can rely on. Everything depends on the issuer's will to provide that information and is not under our control [source: "Markus says" in "What makes a good claim" section of claims overview article on MSDN].
Let's consider simple example, used in one of authorization samples I found: if claims contain information about user age > 65, he is allowed to visit retirements section of the site.
But what if it doesn't contain such information? And it's very likely that at some point we'll start supporting additional claims issuer which will not provide such information. Same can be said about administrators group membership or any other claim.
Also, I could imagine a situation when Facebook provide a claim 'groups' with the list of facebook groups membership (which can be easily edited and named "Administrators"), while Active Directory use same claim name to provide information about domain groups. So I feel there must be some point of consolidating that data, some bridge for filling the gaps and creating a claim application can use. Illustration from Claims Overview article indicate some process "Gather information" which might be what I'm thinking about, but doesn't cover it with explanation and it doesn't seem to be application-specific:
Am I missing something?
PS: Currently in my application I use UserName, Phone, Department, groups membership, and other information from Active Directory and I'm concerned whether I can rely on that after implementing ADFS authentication support. Probably not, but at the same time I have to get that information somehow.
