When is it worth implementing a WIF solution?

I'm trying to build / architect a security solution for an intranet application and I'm wondering if implementing a WIF level solution is worth it, given the requirements.

Essentially, I have the following things that are considerations

• The general platform is ASP.NET MVC 3 / Windows Servers / SQL Server 2008 R2 database.
• Information comes into our system from an outside vendor that provides a workflow software solution
• Since the vendor software only covers part of the company's typical workflow, they'll be sending us data as a REST call. Our end uses WCF rest calls to receive this data.
• A VPN tunnel is supposed to be built to the outside vendor's servers as part of the security.
• There's pressure from the top that this VPN isn't enough security. Also, as there are authorization issues (some users shouldn't have access 开发者_C百科to some data), we should have something that identifies users on our end as well as the vendor's end to insure information is from the right person, with the proper rights to make these changes.
• The outside vendor has their own security system, but nothing we can truly tap into, so I'm not sure what, if anything, we can do to synchronize security.
• The piece of the workflow that we pick up is what is handled via MVC 3 / SQL Server.
• Our company uses Active Directory for user management, and I'd like it if I can lean on it if possible. Ideally, I'd like to not introduce Yet Another Password to our users, since they'll have their work logins, the outside workflow vendor logins, and logins to yet other vendors.
• While the solution is initially going to be part of the company I'm in now, it might roll out to other sister companies that are under our same Active Directory.
• While using the workflow solution will be limited to users in active directory, it is likely that we'd have outside users that we'd prefer not to give active directory accounts to that will view reports running on SSRS.

Sorry if this is really long, but I hope that providing as much information as possible, I can get the best answers / solutions / practices / recommendations possible for this problem. Thanks.

---

It's worth installing WIF if you want to future proof your solution. WIF enables claims and Microsoft is building their apps around claims e.g. SharePoint 2010, CRM Dynamics 2010, Office 365 and Azure ACS are all built around claims, WIF and STS.

Once you have the infrastructure installed, it's relatively easy to federate with other partners. The traditional way is to enable trust between AD but as you add more and more companies you run into problems with IP, Netbios etc. clashes.

WIF addresses a number of points you have raised.

• Allowing external users access without adding them to a local AD
• An additional encryption layer over and above IIS SSL.
• Allocating roles to users for authorisation (both coarse and fine grained)
• SSO
• Built around AD