I'm evaluating using JWT tokens instead of SAML tokens in an SSO scenario using Azure ACS. JWT is promoted as more lightweight than SAML but I'm not sure how to evaluate that claim. I assume the token is passed via the FedAuth and FedAuth1 cookies but in my testing the size of the cookies is consistent between both tokens. If anything the cookies are slightly larger when using JWT.
My usage will be for both ASP.NET and WebAPI with light traffic.
FedAuth1,2,3,,, cookies size is not entirely related to the token type that was used to authenticate the caller. The ClaimsIdentity that is the result of the authentication and any claim augmentation or transformation is what is contained in the cookies.
I said 'not entirely' because:
if you choose to 'savebootstrapcontext' [ see http://msdn.microsoft.com/en-us/library/system.identitymodel.configuration.identityconfiguration.savebootstrapcontext(v=vs.110).aspx ] then there will be a slight difference.
jwt claim types tend to be smaller that SAML and that may also make a difference.
