3.1.5.4.3 User Identification and Authentication
The user's identity is not conveyed explicitly in the wsignin1.0 request message. The IP/STS MUST establish this by initiating a message exchange with the web browser requestor that will cause the users to identify themselves and prove their right to assert that identity.
The user authentication methods are implementation-specific and are not addressed in this protocol. It is recommended that the IP/STS employ a standard protocol to authenticate the user, such as Kerberos (for more information, see [RFC4120]). It MAY use an HTML form to collect credentials directly from the user (ideally using HTTPS) and compare them against a local database. Or it MAY authenticate the user by initiating the Microsoft Web Browser Federated Sign-On Protocol with another STS.<57>
Whatever method is used, the IP/STS MUST store the results in the Authentication Context, as defined in section 3.1.1.2.
If the user cannot successfully authenticate, the IP/STS MUST abort processing the request and return an error message to the user.