How claims-based authentication works
Before I go further into ADFS 2.0, let's take a step back and explain a bit how claims-based authentication works, whether for ADFS 2.0, IBM Tivoli Federated Identity Manager, Novell Access Manager, or any other system.
Digital identities typically relate to users. Those identities are usually provided within a network by security tokens. Sometimes, other security boundaries may be involved (for example, in Active Directory you may have Kerberos tickets), but for simplicity let's stick with tokens.
In a claims-based world, a token includes various claims; these might include a person's name, group, and/or age. The tokens and their claims are created by a Security Token Service (STS), which authenticates the user and provides back a token with the claims attached. Note: Users don't just get whatever token they want. The STS provides the token based on the authentication of the user within Active Directory (in the case of ADFS 2.0) and provides the information within the database that links the user to his or her data and to whatever application that token will be used to access.
The STS is owned by an identity provider (an issuer) that validates the claims when asked to do so. When the user tries to access an application, another enterprise, or a cloud-based service, these applications that receive the token look to see if its issuer is one they trust; if so, they trust the claims made for the user via the token.
One tremendous benefit to developers of this approach, according to Microsoft, is that it gets developers out of the business of authenticating users. Instead, developers can rely on an STS, issuer, and validating application to do the authentication work for them as a service.
One other point to keep in mind is that you may need to use different identity tokens for different applications. In much the same way you might use a birth certificate to identify yourself at times, a driver's license on other occasions, and a passport on still other levels, as a developer you may require different identity providers and thus need an identity selector to allow you to choose the appropriate STS for your application.