When using AD FS 2.0, it may be beneficial to use shadow accounts in some situations. One reason may be that the service accesses back-end resources that require a Windows token. The Claim to Windows Token Service (c2WTS). This article is intended to focus on the AD FS 2.0 perspective of this solution and will not cover configuring c2WTS, or provisioning the shadow accounts. The c2WTS requires the user's UPN in order to fetch and build a windows token.
Change "adatum\adfssvc" to match the service account that is running AD FS 2.0.
There are good articles that supplement the data in this article. Understanding Claim Rule Language in AD FS 2.0 http://social.technet.microsoft.com/wiki/contents/articles/4792.aspx Claims to Windows Token Service (c2WTS) http://msdn.microsoft.com/en-us/library/ee517278.aspx