3.13.5.1 Preauthentication

A request is preauthenticated if it contains a [Proxy Token] (section 2.2.2.18) signed using JSON Web Signature (JWS) [IETFDRAFT-JWS] with the signing certificate published by the server through the Federation Metadata [WSFederation1.2].

Once a request has been identified as preauthenticated, the proxy MUST allow access by replaying the request to the corresponding internal address without the [Proxy Token].

Other claims might be present as name/value pairs depending on the issuance rules for the proxy configured at the server. It is left to the proxy implementer as to how to use these claims.