Can someone give me some basic guidance as to the approach we should take to solve the following problem. I am not a developer myself, but I want to make sure I am telling our developers to head in the right direction. OK. We have 2 web sites - (hosted on two servers the opposite sides of the world). ABC is a LAMP site. XYZ is a hosted SharePoint. We currently have registered customers, some of whom login to access ABC - authenticated against a user db in MYSQL And some of whom can also login and access XYZ, authenticated as SP/AD users in the normal way. Currently that requires them to log in twice with different credentials. Ideally, we would like to simplify the login so we can provide them with a form of SSO, and also manage all our users in one place - not two. If they are logged on to ABC and follow a link to XYZ, we would prefer not to have them log on a 2nd time. Nor do we want to have to duplicate their profile into XYZ to give them access. (we are talking tens of thousands of users in ABC - though many will not have access to XYZ) Again ideally, we would like to have the MYSQL db in ABC as the master, as we have lots more accounts that can only access ABC, and there is lots of functionality in ABC that relies on their account (like forums, newsletters, membership renewals etc) My understanding is that a federated security approach would be the correct/best way to do this. But I will ask if there is anything simpler... So we configure ADFS on XYZ so that it 'trusts' ABC, and hence accepts their users with the right credentials. My goal is that once a user has signed on to ABC, when they follow a link that takes them to XYZ it is relatively 'transparent' in that it doesn't require them to log in again. Presumably, we need to set it up perhaps so the cookie that they get when they sign in to ABC also presents the right credentials to XYZ when they follow the link - would that work? To complicate matters (I think), the users in ABC and XYZ are organized into groups that limit their permissions to different areas of the websites. AIUI, we need to set up the correct Organizational Claims to do this. Ideally, I don't want to have to identify users in XYZ. ABC has the necessary automation to register new users and assign them to the correct group. But I presume I have to add the groups to XYZ still in order to manage permissions. ABC doesn't have Active Directory, so we are going to have to find some SAML/WS-Security compliant code I guess to do the necessary handshaking with XYZ. Am I on the right track here? Or, as I said, is there an easier way? THanks for any help