1. The ClaimProviderName of the Get-SPTrustedIdentityTokenIssuer should be the Name of the custom claims provider. Instructions for how to configure this are at http://blogs.technet.com/speschka/archive/2010/04/28/how-to-override-the-default-name-resolution-and-claims-provider-in-sharepoint-2010.aspx.
2. Make sure that the Name property of your custom provider is NOT the same value as the Name property of the Get-SPTrustedIdentityTokenIssuer. You will need the name of the SPTrustedIdentityTokenIssuer when you are creating the claim for the PickerEntity, so I recommend you add another static string property to your custom claim provder that is the name of the SPTrustedIdentityTokenIssuer. For example, here's what I used in my custom claim provider:
3. When you create a custom claim provider to replace the out of box provider, you are going to want to override the FillSearch and FillResolve methods. In those overrides you will need to create a PickerEntry instance. Normally for these methods I use the CreateClaim helper method; however, if your provider is going to replace the out of the box provider you do not want to use the CreateClaim helper. Instead you should:
a. Use the new SPClaim constructor.
b. Determine if the claim is an identity claim or not. For example, if the identity claim for the SPTrustedIdentityTokenIssuer is email, then you know that if the claim value is an email address it is an identity claim.
c. For an identity claim, the claimType for the new SPClaim constructor should match the identity claim for your SPTrustedIdentityTokenIssuer. For example, if your identity claim is email, then your claimType parameter should be http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
i. For an identity claim, the EntityType property of the PickerEntity should be SPClaimEntityTypes.User
d. If it is NOT an identity claim, the claimType should be whatever claim makes sense for your application
i. If it is NOT an identity claim, the EntityType property of the PickerEntity should be SPClaimEntityType.WhateverMakesSenseForYourApplication (probably FormsRole in many cases)
e. For the last parameter of the new SPClaim constructor, use the following: SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, SPTrustedIdentityTokenIssuerName)
f. Here’s an example of an identity claim with all of these pieces put together:
myPickerEntity.Claim = new SPClaim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "firstname.lastname@example.org", Microsoft.IdentityModel.Claims.ClaimValueTypes.String, SPOriginalIssuers.Format(SPOriginalIssuerType.TrustedProvider, SPTrustedIdentityTokenIssuerName));
IMPORTANT NOTE: If you are the default claims provider for an SPTrustedIdentityTokenIssuer, you should use this method to create the PickerEntity claim irrespective of the type of claim; meaning, use this method whether it's an identity claim, role claim, etc.
1. Add a new property to your claim provider that is the name of the SPTrustedIdentityTokenIssuer where the provider will be used.
2. When you are resolving an identity claim, make sure the EntityType is SPClaimEntityTypes.User
3. Don’t use the CreateClaim helper method; use the new constructor for an SPClaim
4. For the last parameter of the SPClaim constructor, use the SPOriginalIssuerType enum.