Server-to-Server Authentication

• SP 2013 extends OAuth to implement a server-to-server authentication protocol that can be used by service such as SP 2013 to authenticate other services such as Exchange Server 2013 or Lync Server 2013 or services that are compliant with server to server authentication protocol.
• SP 2013 has a dedicated local server-to-server security token service (STS) that provides server-to-server security tokens that contains user identity claims to enable cross-server authenticated access.
• These user identity claims are used by the other services to lookup the user against its own identity provider.
• A trust established between the local STS and other server-to-server compliant services is the key functionality that makes server to server possible.
• For on-premises deployments, you configure JavaScript Object Notation (JSON) metadata endpoint of other server-to-server compliant service to establish this trust relationship.
• For other online services, an instance of Windows Azure Control Service (ACS) act as a trust broker to enable cross-server communications among the three types of servers.
• The new server-to-server STS in SP2013 issues access tokens for server-to-server authentication.
• In SP2013 and SP2010 trusted identity providers that are compliant with WS-Federation protocol are supported.
• The new server-to-server STS in SharePoint 2013 performs only the functionality that enables temporary access tokens to access other services such as Exchange 2013 and Lync Server 2013.
• The new server-to-server STS is not used for user authentication and is not listed on the user sign-in page, the authentication provider UI in Central Admin, or the People picker in SP2013.