Many are joining enjoying the benefits of federated authentication with OWA. However, with EWS they find that they cannot use federated authentication. EWS can use Basic, NTLM and oAuth for authentication. EWS does not support things like SAML tokens, etc. There is also no developer support for changing authentication token credentials programmatically – such as using an ISAPI filter. I'm pointing this out for clarity and how things are at the time of this post. I don't know if anything will change in this area in the future.
OAuth may be the closest thing to federated authentication. Below is a link which covers the supported types of authentication.
Authentication and EWS in Exchange
EWS Impersonation can be used in some situations where a developer might use federated authentication with EWS – if it supported it. So, please review at the links below.
How to: Configure impersonation
How to: Configure impersonation (2013)
Configuring Exchange Impersonation in Exchange 2010
Exchange Impersonation vs. Delegate Access
Here are some additional links which may help:
Getting started with EWS
Best Practices: EWS Managed API coding for Exchange
About: Exchange Web Services (EWS)
Best Practices – EWS Authentication and Access Issues