Federated Authentication

In the kerberos authentication, all the parties are in the single domain. When Windows first introduced the identity management, the biggest problem for a three tier application is the business tier is unable to retrieve the user's identity since the identity will not be passed over multiple hops.

The only way to overcome is to create your own identity provider, a security component that authenticates the user and passes the token to the application.

when we are moving from a single domain to Internet where there are desparate systems, all systems should at least accept on a common protocol to communicate.

If a client requests for a service, it should show a common identity, a token, that is understandable by all the systems. This standard is the Security Assertion Markup Language called SAML.

The token must be issued by a system called Identity Provider. IdP authenticate the user and gives a SAML token.

For a complete understaning of SAML, read the article

The service in order to give the service should trust the IdP.

Instead of providing only the result of the authentication (like yes/no), the SAML token can contain some more information also. These information are called Attributes within the SAML Token. Each attribute is a name value pair. It defines the name and the value. For example, when the SAML token is passed from a University to a library it can contain the user name and which department he/she belongs to. So Department is the attribute name and say Computer Science is its value.

According to wikipedia on "Claims based authentication is the process of authenticating a user based on a set of claims about its identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims based authentication."