As it is generally known, identity management systems are used to create, maintain, and manage identity information for users, and to provide user authentication on behalf of other applications. An identity management system operates by performing an authentication process with regard to a user, and then, in response to successful authentication of the user, generating a security token that can be presented to one or more applications that trust the identity management system, during processing of user requests to access protected resources. A security token generated by an identity management system may include items of identity information about the user, sometimes referred to as “claims”, that are inserted by the identity management system into the token based on information maintained by the identity management system. Systems that trust the identity management system to perform authentication and to reliably generate a security token use the token to make authorization decisions with regard to protected resources under their control.