SAML-based Authentication in SharePoint 2013


In SAML claims mode, SharePoint 2013 accepts SAML tokens from a trusted external Security Token Provider (STS).

A user who tries to access a secured webpage is redirected to the external login page of the STS provider, the STS is responsible for authenticating the user and producing the SAML token, SharePoint accepts and processes the SAML token and creates a claims based security token.

SAML mode is commonly used with Single Sign-On (SSO).

SAML-based claims authentication process

SAML-based claims authentication is an interaction among a "Client Computer", "SharePoint Server", "Identity Federation Server AD FS" and a "AD DS domain controller".

Trust relationships must be in place between:

  • Identity Federation Server "AD FS" must trust the Authentication provider "AD FS"
  • Identity Federation Server "AD FS" must trust token request from the SharePoint server
  • SharePoint server must trust the AD FS sever, the AD FS server use a signing certificate to sign SAML security token it issues, to validate the digital signature on the security token that issued by AD FS you can figure SharePoint farmwith the public portion of the certificate


1. At first an anonymous user initiates a request to a secured SharePoint page.

2. SharePoint server redirects the user to the AD FS server to obtain a SAML-based login page for user credentials.

3. The user types the credentials and the client computer sends them to the AD FS server with a request for a SAML security token.

4. The AD FS server validates the user credentials against the identity provider AD DS.

5. The AD FS construct the SAML security token, signs it and sends it to the client computer.

6. The client computer sends a new request to the webpage and this time it includes the SAML token.

7. The Security Token Service on the SharePoint server creates a claims based security token and stores it with the distributed cache service on the SharePoint farm. Claims in the security token are based on to the claims in the SAML security token from AD FS, SharePoint sever is then created and sends a federated authentication cookie to the client computer, this cookie contains an encrypted key of the security token. If the user is authorized to access the requested webpage through analysis of the claims in the security token then SharePoint sends the contents of the page.

For more information about other authentication types check my other posts:

Happy coding...

Diagrams source: Microsoft Technet