WIF / Geneva stuff still doesn't seem โmatureโ like AzMan. We have been using AzMan for about 3 years, and our implementation has evolved from a direct link to azman.dll to a WCF-based service that serves roles and operations. WCF WinForms Services, WPF Clients, and now I'm in the process of working with Silverlight. I donโt see that we will soon switch from AzMan, at least until an external interface for setting up WIF roles, operations, etc., which are provided for free in azman, is created ....
As for the details, we have our azman store in Active Directory and built DLL.net, which provides a .net wrapper around the ugly COM azroles.dll. In addition, we have a WCF service that basically just passes requests for roles and operations directly through dll.net azman. Roles and operations, etc. Returned as arrays of strings for client processing. There are two ways a service authenticates. Either through 1) anonymous authentication, or 2) Windows authentication (pass-thru). This means that if you provide a username and password, anonymous authentication will be used, which first uses these strings for authentication. If pass-thru / Windows Authentication is used, then the WCF service already knows that you are an authenticated Windows user ... There may be an argument for splitting anon and Windows authentication into two separate services ...
Typically, winforms and WPF clients use Windows authentication to go through and get available roles, while Silverlight clients use anonymous authentication ...