When a request is received by Identify*Runtime, the first thing the system does is establish who the requestor is. The requestor must exist as a Protocol Connection in Safewhere*Identify to be processed. If the requestor is identified, the request is sent to the authentication step. In the authentication step, the user must choose an authentication method (an Authentication Connection). The Authentication Connection (if of the type Username & Password or NemId) either requests credentials or (if of the type SAML 2.0, WS-Federation, OCES, Facebook, LinkedIn, etc.) forwards the request to a third-party IdP for authentication.

For a token request to be processed and responded, it must thus pass through both an Authentication Connection and a Protocol Connection. On both of them, there are a number of Transformation objects that the request can pass through and which will influence the final returned claim set. These Transformation objects make up the claim pipeline of Safewhere*Identify and will be explained in more detail in the chapters Add Authentication Connections, Add Protocol Connections and Claim Transformations.

Claims Pipeline Process will better explain the concept.