3.3.5.2.4 User Attribute Retrieval

A relying party MAY<76> maintain local identities for all users to control access to WS resources. If so, the requestor IP/STS (or the WS resource) MUST retrieve the local identity and use it to replace the AuthIdentity in the user's Authentication Context.