Authentication is the validation of a user's identity against an authentication provider, which is a directory or database that contains the user’s credentials and can verify that the user submitted them correctly. User authentication occurs when a user attempts to access a SharePoint resource.
SharePoint 2013 supports two authentication types,
- Claims-based authentication
- Windows classic mode authentication
Windows classic mode authentication- The result of a Windows classic mode authentication is a Windows security token. We recommend that you use claims-based authentication for user authentication.
- This is also referred to as “classic mode authentication”.
- This approach has a disadvantage that it is not future proof and unsuitable for environments such as extranet, inter-organization, or situations where the domain may not be accessible or there may be many domains in play.
Claims-based authentication
Claims-based authentication is a claims-based security token, which the SharePoint Security Token Service (STS) generates. When a user signs in to SharePoint, the user's token is validated and then used to sign in to SharePoint. The user's token is a security token issued by a claims provider.
Claims-based authentication will support Windows, forms-based, and Security Assertion Markup Language (SAML)-based claims authentication.
- Windows authentication
Windows authentication is a normal windows login to access the SharePoint Site.
- User requests a webpage to SharePoint.
- SharePoint Requests windows credentials.
3. Send the windows credentials.
- Form Based Authentication
Form authentication is different from windows authentication and this will refer the external provider to get the credentials. When user requests to the SharePoint page it will redirect to the form based login page.
- User requests a webpage to SharePoint.
- SharePoint send Form based login page.
- Send Credentials
- Validate the credentials with external membership provider.
SAML Authentication
SAML mode is commonly used with Single Sign-On (SSO).
The Process flow SAML authentication,
SAML-based claims authentication process flow is the User interacting to a SharePoint Server expecting the result from -> Identity Federation Server AD FS->AD DS domain controller.
- User requests a webpage to SharePoint.
- SharePoint server redirects the user to the AD FS server to obtain a SAML-based login page for user credentials.
- User enters his credentials and sends them to ADFS to request for a SAML security token.
- ADFS will interact with ADDS to verify them.
- AD FS construct the SAML security token, sign it and send it to the client computer.
- Computer will send the request to SharePoint Server with SAML Security token.
- STS (Security Token Service) creates a claims based security token and stores it with the distributed cache service on the SP farm.
Security token are based on to the SAML security token from AD FS, SharePoint server is then created and sends a federated authentication cookie to the client computer, this cookie contains an encrypted key of the security token. If the user is authorized to access the requested webpage through analysis of the claims in the security token then SharePoint sends the contents of the page.