ACS is a “Federation provider”. It basically allows your “relying parties” (your applications) to delegate authentication to it.

ACS can itself trust many “identity providers”, including yours if you wanted. Currently (ACS V2) supports WS-Federation & OpenID (for web sites), WS-Trust & OAuth (for web services). These are the “protocols”. ACS supports 2 token formats: SAML (1.1 & 2.0) and SWT. It also comes pre-configured with Google, Yahoo!, Facebook and LiveID.

If your app trusts ACS, then you can accept users with accounts in any of those services. ACS can work with “any” IdP that supports any of those protocols.

WIF is a framework on .NET for “claims enabling” your app and works seamlessly in app stacks like ASP.NET (and ASP.NET MVC) and WCF. It can work on other app stacks, but it requires interop. However, each platform usually has a WIF equivalent, and as long as it is compliant with the standard (e.g. WS-Fed, SAML tokens, etc.) it works.

Interop is also both ways. For example: a non .NET app relying on ACS / ACS relying on a no-MSFT identity provider.

If you want to retain your membership databases for authentication (this means you would still have username/passwords), you can wrap it with an STS (built with WIF) and add it to the list of identity provider. Then any application (.NET or not) can use authentication based on it:

Of course you can combine both: have your apps trust ACS and then ACS trust your IdP (In addition to the other IdPs). This gives you additional flexibility.

In general, if you use WIF on your .NET based web site, you don’t need to write much code (if any). Everything just works.

Examples of all this are available here:

• Identity Training Kit
• Claims based Identity Guide (http://claimsid.codeplex.com)

For a very quick intro, check Scott’s latest webcast: http://scottdensmore.typepad.com/blog/talks.html