Traditionally, access control was implemented within the main application by writing a code against user’s credentials to authenticate them and based on their attributes grant/deny access to various resources. This required application developers to be skilled in implementing security and writing a code which is hard to implement and maintain.
Due to Windows Identity Foundation (WIF) all this has changed and it made the things much easier. WIF externalizes authentication and thus application designers can focus only on implementing Business Logic. So, instead of implementing authentication in our application, we use an external system to provide authentication. This system is nothing but a service, which generates secure tokens and transmits those using standard protocols such as SOAP. This service is known as Security Token Service or STS.
Our application is configured to accept these tokens generated by STS. These tokens act as the proof of authentication of a user and hence there is no need for our application to manage these credentials. In this case, our application acts as a Relying Party.
The tokens generated by STS also provide attributes of these users which can be used to prevent access to resources and customize user experience. These attributes are called as Claims.
Get this great book for more clarifications directly from master of WIF, Vittorio Bertocci