I am setting up a STS using WIF which will support active and passive federation.
There will be multiple services which use the STS as relying parties.
I want to know how the scenario works and is implemented where one service (eg. RelyingParty1) is the client of another service (eg. RelyingParty2) where the client of RelyingParty1 (a physical person/user) authenticates via STS/Idp username and login and RelyingParty1 wants to use RelyingParty2.
Does RP2 communicate with the STS at all, or is a valid token passed from RP1 to RP2? Is there specific configuration needed for this?
If RP2 can/does communicate with STS to verify token/authenticate (SSO is not a requirement so checking each time might be desirable) how does the STS know to use the physical user of RP1 as the IClaimsIdentity/IClaimsPrincipal and not the user that RP1 is running as?