This post discuss a new feature introduced in the Active Directory Federation Services (AD FS ) 2.0 RC - support for token issuance authorization. Leveraging the feature allows IT pro to support a number of scenarios: Control access to relying party applications, e.g. Contoso’s use of RBAC to limit access to Fabrikam; Control what users can participate in federations, i.e. if the relying party is another STS, the administrator can selectively include/exclude groups of users from the federation. One of the main functions of the product in this and previous releases has been to provide a centralized point for authentication. Let’s try to briefly explain the distinction between the two: while authentication is the act of verifying the identity of a person, authorization is the act of determining whether the person can perform an action on a resource. In the scope of the AD FS 2.0 RC, the action is obtaining a token, while the resource is the relying party that the token is destined to.
Full Article: Geneva blog