Here are some steps you might try:
- Sign the user out from your application.
- Redirect him to a protected resource. If the current page is a protected resource then you don't need to do anything more
- The user will be redirected to the STS (because he is attempting to access a protected resource but he is no longer authenticated)
- If the user still has a valid session against the STS he will receive an access token (with the new claims) and redirect him back to the initially requested protected resource.
- The user will now have the new claims in the identity.