Assume you have an SharePoint web application which build on "Claim based Authentication"
When user requested the page or Sharepoint documents using web browser,SharePoint will check the user has been authorised or not.
If it is not authorised,It will send back to user with requested URL,in turn user's request will be redirected to "Identity Provider".It can be Active Directory or "ASP.NET Membership Provider".
Once your credentials are validated by "Identity Providers" you will be given a token to which will allow your request to be authenticated by SharePoint.