Objective: To understand how SAML-based claims authentication works in SharePoint 2013.
After viewing the video, use the following to practice and review:
Learner Modules for Claims Authentication in SharePoint 2013 for all of the modules in this
Fast Learner series.
For the answers to these review questions, click
Let’s step through a simplified Security Assertion Markup Language, or SAML,-based claims authentication process for SharePoint 2013.
SAML-based claims authentication is an interaction between a client computer, a SharePoint server, an identity federation server (such as Active Directory Federation Services, or AD FS), and an identity provider, which contains the actual accounts, passwords,
and account attributes, such as Active Directory Domain Services, or AD DS.
Please note that this process example is deliberately simplified. AD FS and SAML claims are not required if you are using an AD DS infrastructure in which the forests and domains trust each other.
Before we step through the authentication process, let’s examine the set of trust relationships that must be in place. First, the federation server, the AD FS server, must trust the identity provider for which it is issuing SAML security tokens. In this
case, the trust is implicit because the AD FS server is a member of the AD DS domain, and therefore trusts the validation of security credentials by its domain controllers.
AD FS must also trust security token requests for locations on the SharePoint server.
For this trust relationship, you configure AD FS with the URLs of SharePoint web applications as relying parties. Web pages within those URLs will now be trusted for SAML security token requests.
The SharePoint server must also trust the AD FS server. The AD FS server uses a signing certificate to sign the SAML security tokens that it issues. To validate the digital signature on the security tokens issued by AD FS, you configure the SharePoint farm
with the public portion of that signing certificate.
Now let’s take a look at the authentication process.
The SharePoint server then creates and sends a Federated Authentication, or FedAuth, cookie to the client computer. This cookie contains an encrypted key or index to the security token. If the user is authorized to access the requested web page, through
analysis of the claims in the security token and the configured permissions, the SharePoint server then sends the contents of the page. For subsequent requests, the client computer uses the FedAuth cookie for authentication.
For additional information about claims authentication, go to the SharePoint 2013 claims authentication portal at
Also visit technet.com/sharepoint.
1. What information does the SharePoint server use to construct the claims-based security token?
Answer: Claims in the SAML security token received from the web client, as issued by the AD FS server.
2. What is the difference between the SAML security token and the SharePoint claims-based security token?
Answer: The SAML security token is issued by the AD FS and is the proof that a web client has provided valid security credentials with its identity provider. The SharePoint claims-based security token is issued by the Security Token Service
on the SharePoint server and is used to represent a validated user to SharePoint components.
3. True or False: The web client stores both the SAML security token and the SharePoint claims-based security token and uses the latter when making subsequent requests of resources on the SharePoint server.
Answer: False. The web client does not store the SharePoint claims-based security token. The web client uses a FedAuth cookie for subsequent resource requests.
4. What is the element of configuration so that the AD FS server trusts the SharePoint server? What is the element of configuration so that the SharePoint server trusts the AD FS server?
Answer: The web application URL of the SharePoint server is configured as a relying party. The public portion of the AD FS token signing certificate
5. How does the SharePoint server verify that the SAML security token was issued by its trusted AD FS server?
Answer: The SharePoint server uses the installed public portion of the AD FS server's token signing certificate to validate the digital signature on the SAML security token.