2.1.2.4.1 Authentication

For user authentication, SharePoint Products and Technologies relies on external authorities to appropriately validate a user's identity and, optionally, group (1) or role membership. By default, this external authority is Active Directory Domain Services (AD DS), but SharePoint Products and Technologies supports pluggable security authentication that allows any appropriately configured authentication provider to validate a user's identity. Such a provider, which is called an authentication system, provides a list of users and group (1) memberships that are available to a web application (1) in SharePoint Products and Technologies. A technical specification of an authentication system is available. For more information, see [MS-WSSTS] section 2.1.4.

Microsoft SharePoint Server 2013 and later also implement claims-based identity, an authentication system based on different industry standards as described in [MS-SPSTWS] section 1. This capability exists in addition to Windows Challenge/Response (NTLM) and the Kerberos protocol. The implementation of claims-based identity is standards based. Users who deploy SharePoint Server 2013 and later can use any protocol or service that implements these standards to provide identity to SharePoint Products and Technologies. In addition, when applications running on SharePoint Server 2013 and later need to make external Web service calls, Microsoft SharePoint Server will issue a Security Assertion Markup Language (SAML) token that identifies the user and application pool identity. For more information, see [WSTrust], [WSFederation], and [SAMLToken1.1].