After you have configured a SPTrustedIdentityTokenIssuer in your farm and enabled this provider as an authentication provider for a web application you should be able to see this provider in people picker as a top level node. You might be a little disappointed at this stage if you tried to search anything in the picker. Any text you enter always get resolved by the provider that you just configured. This is because SPTrustedIdentityTokenIssuer by default has its own claim provider that is quite basic in its functionality. It accepts any text entered by the user as it is unaware of the attribute source of your SPTrustedIdentityTokenIssuer.

This basic functionality might be good enough in certain scenarios but is not the greatest when it comes to user feedback and is very vulnerable to typos. This is why SPTrustedIdentityTokenIssuer can be configured with a custom SPClaimsProvider. Instructions on how to create SPClaimProvider can be found at . I have created one for our organization, if anyone needs additional code examples please leave a comment and i will try putting a post on how to create it in more detail. After you have created a claim provider you can configure it for trusted identity token issuer from code as follows. Here loginProviderName is the name of the SPTrustedIdentityTokenIssuer that you have configured earlier and claimProviderName is the name of the SPClaimProvider.

SPSecurityTokenServiceManager stsManager = SPSecurityTokenServiceManager.Local;
SPTrustedLoginProviderCollection loginProviders = stsManager.TrustedLoginProviders;
SPTrustedLoginProvider loginProvider = loginProviders.GetProviderByName(loginProviderName);
loginProvider.ClaimProviderName = claimProviderName;

Or from SharePoint 2010 powsershell as follows

Set-SPTrustedIdentityTokenIssuer -Identity $loginProviderName -ClaimProvider $claimProviderName