Understanding Claims Based Authentication

SharePoint 2010 introduces the concept of claims based authentication, which involves authentication through the use of claims, tokens, and identity providers. On a high level in claims based authentication a user makes a claim about his identity, which is validated by someone.

Consider a real life scenario where someone is trying to prove her identity. She could provide various claims such as a passport, office identity card, or driver’s license. These are strong proofs of that person’s identity as they have been issued by the government or the person’s employer. If you trust the government and the employer you will have no problem accepting that person’s identity. On the other hand if that person shows an identity proof certified by a less trustable authority you will not accept the identity of that person.

In more technical terms, in claims based authentication a trusted identity provider performs authentication and validates a claim made by a user. If that claim is successful a security token is issued for that user. This security token enables you to log successfully into the application and access resources within that application.

In SharePoint 2010 a service known as Security Token Service or STS is responsible for issuing tokens that are consumed by the SharePoint 2010 applications. The STS is built over the Windows Identity Foundation formerly known as the Geneva framework. When a client requests access to a SharePoint resource, it is redirected to an identity provider. The identity provider validates the identity and issues a token to the client. This token is then submitted to the STS of SharePoint. SharePoint STS verifies whether the token is from a trusted source and issues a new SAML token to the client. The client can now access the requested resource using the SAML token based on the appropriate authorization.