SharePoint 2013 Authentication

The following are the new Authentication features in SharePoint 2013.

Feature	Description
Claim based authentication	User authentication in SharePoint 2013 will be based on Claims, the classic Windows Based is being removed, though it is available in the Preview version, it will be removed when the product is released. We can switch from the classic mode of authentication to the Claim based authentication by using the new Convert-SPWebApplication Power Shell command. SharePoint 2010 which allows migration of authentication modes based on web applications only, SharePoint 2013 allows migration based on content databases also.
Support for OAuth 2.0	SharePoint 2013 now supports authentication based on Open Authorization 2.0 (OAuth 2.0) protocols, this authentication is used to allow temporary access to a limited set of resources like lists, images etc. Support for OAuth now simplifies the process of server-to-server authenticating and App authentication.
Distributed Cache server	SharePoint 2013 introduces a distributed Cache server which enables caching of user credentials in a centralized location used in multiple Front End Servers.

To know more about the Authentication features in SharePoint 2013 refer the following posts.
SharePoint 2013 Claim Based Authentication
SharePoint 2013 Support for OAuth 2.0

SharePoint 2013 Distributed Cache Service


Related Post
SharePoint 2013 Hardware and Software Requirements
SharePoint 2013 Authentication
SharePoint 2013 Sites
SharePoint 2013 Communities
SharePoint 2013 Content
SharePoint 2013 Search
SharePoint 2013 Insight
SharePoint 2013 Composites
SharePoint 2013 Claim Based Authentication
SharePoint 2013 Support for OAuth 2.0
SharePoint 2013 Distributed Cache Service

SharePoint 2013 Claim Based Authentication

SharePoint 2013 supports only Claim Based Authentication, though the preview version supports the Classic Windows authentication, it will be removed when the actual release roles out.

Authentication is the process by which the system validates the user and allows/denies access to the user.

In Classic windows authentication, the users are configured in the Windows server and their credentials are validated when the user logs into to Server.

In Claim based authentication an individual provider validates the credibility of the user and proved a security token, the security token can contain multiple claims each of which contains unique information about the user. Examples of claims are User Name, SSN etc.

The following claim based authentication methods are supported in SharePoint 2013

   Windows claims using Windows Identity Foundation
   Security Assertion Markup Language based claims
   Forms-based authentication based Claims

To know more about these refer to the following posts.
Claim Based Authentication
Windows Identity Foundation
Security Assertion Markup Language (SAML)

Related Post
SharePoint 2013 Hardware and Software Requirements
SharePoint 2013 Authentication
SharePoint 2013 Sites
SharePoint 2013 Communities
SharePoint 2013 Content
SharePoint 2013 Search
SharePoint 2013 Insight
SharePoint 2013 Composites
SharePoint 2013 Claim Based Authentication
SharePoint 2013 Support for OAuth 2.0
SharePoint 2013 Distributed Cache Service

Security Assertion Markup Language

Security Assertion Markup Language (SAML) is an Open XML Based standard used to implementing Claim Based Authentication. It provides a set of protocols to exchange security tokens between applications and services in XML format.

As part of the SAML XML message we can pass attributes to the target application/service, example of attributes are Name, email, SSN, etc, this provides additional information about the user to the target application/service. The role of the user can also be passed as an attribute, so that the target application/service can provide limited services to the user based on the role attribute.

Windows Identity Foundation

Windows Identity Foundation is a Framework developed by Microsoft to help applications/service to recognize and use Security Tokens based on claims. In short it enables Claim Based Authentication for Applications and Services.

WIF provides a set of APIs which the applications can make use of to recognize the details from the claims, it helps applications to make decisions on whether to Grant/Deny access to the user/service based on the details in the Claims.

WIF provides a utility FedUtil, which helps in establishing the Trust between applications and the Identity Provider (STS). 

Claim Based Authentication

Claim based authentication is a authentication mechanism which acts as an alternative to the traditional username/password mode of authentication. Claim based authentication makes it easy to implement features like Single Sign On, by re-using the same set of security token across multiple applications / services.

In Claim based authentication, the application/service is relieved from implementing the logic to validate a user’s identity; instead the validation is done by an independent Identity Provider, commonly known as Security Token Service (STS)