Planning SharePoint Claim Based Authentication

SharePoint Server 2010 introduces claims-based authentication, which is built on Windows Identity Foundation (WIF).

If you select classic-mode, you can implement Windows authentication and the user accounts are treated by
SharePoint Server 2010 as Active Directory Domain Services (AD DS) accounts.

If you select claims-based authentication, SharePoint Server 2010 automatically changes all user accounts to claims
identities, resulting in a claims token for each user. The claims token contains the claims pertaining to the user.
Windows accounts are converted into Windows claims. Forms-based membership users are transformed into
forms-based authentication claims.

Claims authentication is built on WIF. WIF is a set of .NET Framework classes that are used to implement claims-based identity.
Claims authentication relies on standards such as WS-Federation, WS-Trust, and protocols such as SAML.
For more information about claims authentication.
Click here see detail
Architecture for SAML token-based providers

SharePoint security token service This service creates the SAML tokens that are used by the farm.
The service is automatically created and started on all servers in a server farm.
The service is used for inter-farm communication because all inter-farm communication uses claims authentication.
This service is also used for authentication methods that are implemented for Web applications that use claims authentication,
including Windows authentication, forms-based authentication, and SAML token-based authentication.
You must configure the security token service during the deployment process.
Click here for more information Configure the security token service (SharePoint Server 2010).

Token-signing certificate (ImportTrustCertificate) This is the certificate that is exported from an IP-STS. The certificate is copied to one server in the farm.
Identity claim The identity claim is the claim from a SAML token that is the unique identifier of the user.
Only the owner of the IP-STS knows which value in the token will always be unique for each user.
Realm In the SharePoint claims architecture, the URI or URL that is associated with a SharePoint Web application
that is configured to use a SAML token-based provider represents a realm.
SPTrustedIdentityTokenIssuer This is the object that is created on the SharePoint farm that includes the values
necessary to communicate with and receive tokens from the IP-STS.

Relying party security token service (RP-STS) In SharePoint Server 2010, each Web application that is configured
to use a SAML provider is added to the IP-STS server as an RP-STS entry.
A SharePoint Server farm can include multiple RP-STS entries.

Identity provider security token service (IP-STS) This is the secure token service in the claims environment
that issues SAML tokens on behalf of users who are included in the associated user directory.