An overview of ACS, ADFS, WIF

Notes from the TechNet Windows Azure AppFabric Access Control Service (ACS) Academy video series -

• ACS or Access Control Service is a cloud service that abstracts authentication & lets you focus on app development rather than on plumbing
• ACS is part of Windows Azure Platform - a service within AppFabric 
• ACS offers federation with Internet identity providers (like Windows Live ID, Facebook, Yahoo, Google) & corporate identity providers (via ADFS v2.0) 
• Federation means you can outsource authentication to industry mature identity management systems
• ACS implements federation and trust for web apps using industry standards protocols.
• ACS can use WS-Federation, WS-Trust, OpenID, OAuth 2.0, OAuth WRAP and SAML 1.1 and 2.0, SWT token formats
• ACS works for Web and Web services architectures
• The core functionality of Access Control Service (ACS) & Active Directory Federation Services or ADFS is STS or Security Token Service
• Both Access Control Service (ACS) & Active Directory Federation Services (ADFS) can be used to implement SSO or single sign-on
• ADFS is an on-premises STS & is part of the AD in Windows Server.
• ADFS is both an on-premises Identity & Federation provider. ACS does not manage identities 
• ADFS relies on Active Directory for identity management but it can federate with non-MS enterprise identity providers like Oracle Identity Federation, CA Federation Manager & more
• ACS & ADFS integrate seamlessly
• ACS can serve Private Cloud, PaaS Cloud (not just limited to Windows Azure Platform due to its implementation on open standards) and SaaS Cloud needs
• ACS is not limited to consumption by Windows Azure deployed apps; any modern app platform hosted on PaaS cloud providers can consume ACS
• ACS can serve cloud deployed apps, on-premises apps, mobile device apps
• WIF or Windows Identity Foundation is a .NET runtime that runs as part of your web application or service.
• WIF is available as a free download
• ACS & WIF perform protocol & token heavy lifting so that you can focus on your authorization logic
• ACS does heavy lifting for handling protocols like WS-Federation, WS-Trust, OpenID, OAuth 2.0, OAuth WRAP, Facebook Graph
• ACS can issue normalized SAML & SWT tokens 
• You can control authorization access via the ACS Rules Engine & WIF
• WIF parses incoming tokens & exposes a convenient .NET API
• WIF provides design time tooling via FedUtil wizard tool
• WIF offers extensibility through configuration sections, custom toke handlers
• Using Rules Engine, you can control what claims get into the token & which Identity providers can provide authorization
• Windows Identity Foundation (WIF) offers Role-based access control (RBAC) & Claims-based authorization
• 2 ways to Administer ACS - via Management Portal & Management Service
• Management Portal - accessed through Windows Azure portal
• Management Service is a service that exposes OData endpoint & offers additional functionality not available via Management Portal
• ACS can be managed manually and programmatically
• 4 Key components of ACS:
  • Security Token Service (STS) - it issues tokens for clients that they use to present to the application in order to be authenticated
  • Management Portal - UI for administering ACS
  • Management Service - API/endpoint that is used for management automation. Everything you can do with the Management Portal, you can automate via the Management Service
  • Token Transformation Rule Engine - allows configuration based token transformation 

Related: HOW TO implement Authentication & Authorization using OAuth 2.0 Providers with ASP.NET WebForms