Originally I thought the ClaimsAuthenticationManager.Authenticate method was supposed to fire just when when the F.A.M. received a token. I looked at the documentation for this method but the documentation did provide much insight. So next, I then looked at the W.I.F. source and it appears this method fires every time the STS receives any kind of request (authenticated or not). Once I realized this I just change my C.A.M. to return the original principal when an un-authenticated identity was presented. Would be helpful if the docs were updated to mention how this guy is called even for un-authenticated requests.