I was recently asked by my friends over at Confused.com to look into using Windows Identity Foundation to do claims based authentication for Sitecore. WIF comes pre-packed with all you need to do federated security and you can use the components either as they are or customise them to meet your specific requirements.
WIF integrates nicely with ASP.Net and most websites could easily be adapted to use Passive STS for authentication. Unfortunately this is not true for Sitecore websites (current version 6.5). WIF uses a set of HTTP modules to handle the authentication. The authentication is synchronised to the AuthenticateRequest event which is bad news as Sitecore’s UserResolver is executed in the httpRequestBegin pipeline which is synchronised to the BeginRequest event (yes - just _before _the AuthenticateRequest event). The WIF authentication does happen before the your Layouts and Sublayouts are rendered and Sitecore.Context.IsLoggedIn will return true. On the surface it looks like all is good but it is important to realise that you need the WIF authentication to take place before the UserResolver pipeline step so that security can be applied correctly when ItemResolver executed.
I asked Sitecore support to look into it but they drew a blank. I do hope that Sitecore will address this out in a future release now that WIF is being merged into the .Net framework. In the mean time as workaround you can override UserResolver and manually read the SessionToken, authenticate it and ask the Sitecore API to login the user for the current request.