While going through some articles on the reports from Burton group on Identity Management, I ran into this article from Andre Durand. The basic point of contention was that Burton has predicted that Federation will not be separate product long term while the Patrick Harding contests that it will be a separate product. This point of view from PingID can be attributed to the fact that their flagship product is a federation server though they do provide other components like Token Service. But lets not go there and look at the argument. The basic point of the contention seems to be that the infrastructure needs a federation server to consume SAML assertion and generate internal SAML assertion that can be consumed by the internal infrastructure. But I am not sure whether that means that you have to setup a federation server the way described by them using this diagram. I see the work they describe more the job of a Token Service as I have opined earlier. (which I think is one of the good ways of implementing an Authenticaion web services) which will be used by infrastructure components to do the validation. I do not see the federation server becoming the point of entry in the infrastructure since there are much better products to do that job (like XML firewalls for web services and Web SSO products for the other browser based applications).
May be this is just the difference of level of technicality that we are at and Patrick Harding is trying to say the same thing as above and I am getting into the details.
Please also note that in case of browser based application most of the implementations that are taking place in this field are moving along the idea of Federation Server being the initial point of contact for SAML validation, setting up the session with existing Sign On products and then redirecting the browser to web application protected by the SSO product. Thus, the model provided by PingID makes sense for the initial part of the SAML validation but I am not sure when the third party applications will start shipping out with support for federation SSO (more specifically the Web SSOs and XML firewalls, some of which already support it) just like they have started supporting the concept of Single Sign On.