Ping Identity recently published a post detailing some thoughts from a breakout session of the Federated User Group meeting on federation and how strong authentication can be handled (here). It was also commented on by my ex-colleague and friend, Paul Squires.
I find the entire subject extremely interesting at the moment since my current project is addressing this exact problem. We are implementing a federated architecture in which the user is required to strongly authenticate at their Identity Provider. Alot of the discussions of the Federated User group were perfectly inline with what I am finding on my project. Paul also makes a good point about issues such as staged authentication and how these can be addressed.
One thing that I have found varies greatly among the various vendors of federation products (especially the ‘suite’ manufacturers) is the different ways in which they support tags such as the “AuthenticationContext”. Wilst some vendors (mentioning no names) will respect this attribute and allow you to assign trust levels based on it, others seem to completely ignore it.
As usual the discussions at the user group included discussions on liability. As Paul quite rightly points out, I think this is the main problem holding back more widespread adoption of federation deployments within the UK. In the years I have been working with federation, I have seen a change with more companies prepared to invest the time and money, not just in the technology, but also in the associated business arrangements. I think this will continue to be the case over the next 12-18 months.