Back to oldie but a goodie - the custom claims provider for SharePoint. I believe this applies to SharePoint 2010 as well but honestly I have only tested what I'm about to describe on SharePoint 2013 and don't have the bandwidth to go back and do a 2010 test as well. What I wanted to describe today is the values you may expect to get, and the values you actually get, in a custom claims provider method for FillClaimsForEntity, FillResolve and FillSearch. Chances are they may not be what you expect.
All of the details above apply to the Uri parameter in those methods. There's one other thing to be aware of as well however, and that's the array of entity types that are provided in these methods. The string entityTypes parameter is important to understand because that lets you know what type of result (i.e. PickerEntity) you should return when FillResolve or FillSearch is invoked. The main scenario where it matters is when you are setting the site collection administrator. To this day, SharePoint has a limitation that only an individual user (or better stated really - only an identity claim) can be added as a site collection administrator. What I've found is that when you are trying to set the site collection administrator and your custom claims provider is invoked from within central admin, the entityType array correctly contains only one value - SPClaimEntityTypes.User. HOWEVER...if you are in a site collection and you try and change the site collection administrators from within it, the entityType is returning five different entity types, instead of just User. At this point I don't know of a good way to distinguish that from a legitimate request within the site collection where all of those entity types would be appropriate - such as when you're adding a user / claim to a SharePoint group or permission level.
I don't know if or how much any of this may change in the future (i.e. are they considered bugs or not), so for now I just wanted to document the behavior so as you're creating your designs around your farm implementations you know better exactly what info you'll have within your custom claims provider to help make fine grained security decisions.
Thanks. So we could distinguish intranet and extranet Zone and augment Claims differently... authorize access based on the Zone.