The security tokens generated by STS contain various attributes based on which a grant/deny access is provided or based on which user experience is customized. These attributes are called as Claims.
A claim can be a user name, user’s email, it can even be permissions such as canWrite, canRead etc or it can be roles or groups to which the user belongs. When an STS generates a token, it embeds the claims within it; therefore, once a token has been issued the values of these claims cannot be tampered with.
If our application trusts the STS that issued this token, it uses the claims issues by the token to describe the user, thus eliminating the need to look up user attributes to provide authorization and customization.