Sample Delegation, Federation and Authentication Scenario

SharePoint 2010

Last modified: October 01, 2009

Applies to: SharePoint Foundation 2010

This topic provides sample scenarios for identity delegation and identity federation.

The following fictional companies and their stated business needs are used in the sample scenarios that are described in this topic:

  • Contoso Hybrid is an international automobile engine supply company that specializes in manufacturing electric and fuel cell–based hybrid engines to car manufactures inside and outside of the United States. In a strategic effort to meet the part ordering demands of its customers, the IT department at Contoso is tasked with developing and deploying a secure Internet-accessible parts ordering application through their host name, This application must also provide multiple levels of access for various internal users (Contoso employees) and external users (car manufacturer employees). To minimize costs associated with maintaining the parts ordering application, IT must also avoid the need for the application to use and maintain an additional account store for internal and external users to access the application.

  • Fabrikam Motors is a Swedish manufacturer of fuel-efficient compact cars and small cars that is known worldwide for its low price point on hybrid automobiles. Although sales have accelerated consistently year after year for Fabrikam, there has been a noticeable increase in hybrid engine failure rates within their first year, in cars sold to customers. For Fabrikam Motors to maintain its standard for high levels of service, it must implement a more efficient means by which hybrid engine parts can be ordered through Contoso Hybrid.

The following are related concepts:

  1. Identity Federation. Explains the establishment of federation between Contoso Hybrid and Fabrikam Motors so that Fabrikam users get a single sign-on experience when accessing Contoso Hybrid resources.

  2. Identity Delegation. Explains the ability to access the resources from a Contoso Hybrid Web service that requires an ActAs token; that is, the service requires the identity of the immediate caller (typically the identity of the service) and the original user who initiated the request (typically the identity of the interactive user).