When user visit visualforce page with canvas application, validation is fired. If all requirements meet, canvas with third party application is displayed. During load of third party application canvas allows to send a bunch of parameters into application from salesforce. These parameters are encoded and third party application must support functionality to decode it. After decoding, application should encode part of parameters with secret key and check it with check sum. This confirms, that third party application is shown in right salesforce org. There are some information about user in parameters, so user can be directly logged into third party application, without entering login credentials again. There are some initials parameters also sent, for example new object which need to be created in third party application and type of operation.
After initial steps user works in third party application as usual. For better user experience, graphic design is changed for canvas, so it looks like salesforce, and user has salesforce look and feel.