Jorgen Thelin on the Microsoft Federation Gateway

Play Jorgen Thelin on the Microsoft Federation Gateway

The Discussion

  • User profile image

    great work.

    Question... where does ACS fit in.


    I see how MFG helps you reduce the complexity of establishing trust relationships with multiple IPs.

    But inside my application or RP i would need to have logic to differentiate between people from IPx , LiveID or IPy.

    Would ACS fit in here between the MFG and RP.. mapping all incoming claims to some normalized set that my app or organization understands.


    If so wondering why this was not mentioned.



  • User profile image

    Yes, ACS fits in nicely between MFG and the RP, as you suggest.


    I find it useful to think of ACS in one of two ways in relation to MFG, depending on which perspetive I am coming at it from:

    1. Either, MFG (and IdP's in general) provides the authentication / base identity claims layer, and there is another architecture layer above that which handles authorization (eg ACS).
    2. Or, ACS is a resource STS that is downstream from MFG. To MFG whatever relying parties and/or STS's (or even chain of RPs/STSs) are downstream is just a black box -- MFG issues tokens and sends them to the next address for that RP, and whether that be ACS or direct to an application is not something that MFG needs to know.

    In general, an app will always have some kind of authorization / permissioning logic somewhere -- and whether that be provided by the app itself or offloaded to ACS is a design choice that is pretty much completely invisible to MFG.


    Hope this helps explain the relationshiop between MFG and ACS.


    - Jorgen

  • User profile image

    Am I correct that the MFG is an FP-STS and it is never an IP-STS?  From watching the video, it sounds like the actual IdP is never the MFG, but the MFG has the capability to federate with thousands or even millions of IP-STSs (a WS-Federation/WS-Trust thunking layer for the IdP).  Because of its tight relationship with LiveID, an IP-STS, it seems like the MFG gets improperly called an IP-STS or IdP sometimes when it is in fact not.  If I am correct here, it would be helpful to call the MFG an FP-STS when describing it because many of us have this frame of reference, making this technology easier to come to terms with.


    The eventual support for SAML 2 and interoperability with PingFederate will be fantastic.  Looking forward to that.


    Great video.  Thanks for taking the time to produce it.

Add Your 2 Cents