Claims Architecture for SharePoint 2010 Developers

When you configure a SharePoint 2010 web application in claims mode, different authentication options are available. These options determine the flow of the authentication process. To learn more about authentication options, see Authorization and Authentication.

The following figure shows the steps in the authentication process. It explains, in order, the different routes that the authentication process flow can have, based on the authentication options that are available in SharePoint 2010.

High-level claims-based authentication process

Steps in the Authentication Process
  1. The client requests a SharePoint resource.

  2. As part of the request pipeline, if the request is not authenticated, the authentication components route the request based on the authentication settings for that zone.

  3. The request is then processed by the authentication components. When more than one authentication method is configured for the given zone, the authentication selection page enables the user to choose the authentication method. If only one authentication method is specified, the request is processed directly by the specified authentication method.

  4. The user is authenticated by the identity provider.

  5. If authentication succeeds, the SharePoint security token service (STS) generates a claims-based token for the user with the information provided by the identity provider. If additional claims providers are configured, the STS augments the user's token with the claims given by the claims provider. For more information about claims providers, see Claims Tips 2: Learning About Claims-Based Authentication in SharePoint 2010.

  6. The claims-based token of the user is sent back to the authentication components.

  7. The authentication components redirect the request back to the resource address, with the claims-based token issued for the user.

  8. The rest of the request pipeline is executed and a response is sent back to the requestor (client). As part of the request pipeline, the authorization is completed.


For more diagrams and the entire whitepaper, see Claims Architecture and Scenarios for SharePoint 2010 Developers.

Siew Moi Khor

Skip to main content