I've launched the sample project for ASP.Net MVC that provides single sign-on against Active Directory, and am using this Microsoft tutorial for reference.
Once the user has clicked to sign-in and gets redirect to their organisation's login page, upon returning to the web application the following code verifies that they are authenticated, and successfully reads their claims:
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.OpenIdConnect;
using Owin;
@if (Request.IsAuthenticated)
{
<dl>
@foreach (var claim in System.Security.Claims.ClaimsPrincipal.Current.Claims)
{
<text>
<dt>@claim.Type</dt>
<dd>@claim.Value</dd>
</text>
}
</dl>
}
Under the hood, what actually constitutes a true value of Request.IsAuthenticated?
Is it by the very nature that claims exist, or is there a specific value that is being used to provide a result before the claims are read?
That tutorial asks you to add authentication middleware into your request pipeline. In this case you're adding UseCookieAuthentication and UseOpenIdConnectAuthentication to register authentication middlewares. These, and any others you might add (JWT bearer token authentication for example), use their own internal mechanism for parsing the request and assigning a claims identity to your request context. For example, cookie authentication will look for a cookie that represents a persisted session and will decrypt and parse its details out as a claims identity. IsAuthenticated literally just returns true if one or more identities are available.
For more detail you can of course drill into the source code. For example, OWIN's cookie authentication middleware lives here: https://github.com/aspnet/AspNetKatana/tree/dev/src/Microsoft.Owin.Security.Cookies