Understanding SAML Token-Based Authentication in SharePoint 2013

You can configure SharePoint 2013 to use SAML token-based federated authentication from a wide range of claims providers. SharePoint uses the following industry standards to request, receive, and process SAML tokens:
  • SAML 1.1 protocol
  • WS-Federation Passive Requestor Profile (WSF PRP)
If the claims provider supports these standards— like many open authentication platforms and federation gateways do—you should be able to federate authentication to your SharePoint 2013 deployment. At a high level, you will need to perform the following steps to use SAML token-based authentication with a SharePoint web application:
  1. Register your web application with the claims provider as a relying party.
  2. Configure rules on the claims provider, to determine what claims should be presented to the relying party and how user attributes should be mapped to claims. 
  3. Configure a trust relationship between the SharePoint Security Token Service and the claims provider.  This is accomplished by exporting a token signing certificate from the claims provider, and then using the exported certificate to create a new trusted root certification authority on the SharePoint server.
  4. Register a new RP-STS entry for the claims provider in the SharePoint Security Token Service. This should specify:

    • A name and description for the claims provider
    • The certificate to use to verify and decrypt SAML tokens.
    • How incoming claim types should be mapped to outgoing claim types.
    • The remote sign-in URL for federated identities.
    • The supplied claim that uniquely identifies the user.

  5. Configure a web application to use the claims provider by selecting the claims provider from the list of configured authentication providers in the authentication settings for the web application zone. After you complete these steps, the SharePoint Security Token Service acts as an RP-STS for the claims provider. When the claims provider issues a SAML security token to SharePoint, the RP-STS will verify the token, parse the claims, and issue a local security token that SharePoint can use to establish the level of access that should be granted to the user.