I would like to produce an SSO solution that passes through a token (of sorts) securely to the end target.
The scenario is this:
Jim logs into his computer on a Windows network. He accesses his intranet which utilises his Active Directory (Windows) login (no need to retype user/pwd). He will then click on a link on his intranet, which takes him to an external website (portal). His credentials are passed along to that external website, facilitating SSO.
Once on the external website, he chooses from a menu of service providers. He selects one, clicks a link, and his security token is passed along to the service provider of choice, facilitating SSO again.
Ideally, the service provider will submit usage infromation back to the portal for tracking and billing purposes. (this can be facilitated via an API - so not really part of my question but provided for context.
I am happy to use something like ADFS and create a federated connection between Jims' network and the portal, and between the portal and the service provider - but would prefer not to have Jim's network require federation to the service provider (third party).
Any advice would be appreciated. We looked at Shibboleth, but this creates a bit of risk having to be dependent upon an Apache-based system, when the majority of our target market are Microsoft network based.