I guess I could see that. In a way we do have multiple front ends, in the form of the different implementations of the stocktrader client. Once M2 is ready to rock, all front-ends should be able to connect to the same back end using their own passive STS (which in a way could represent multiple banks connecting to the same services).
The need for a passive STS in the client could still be justified, as the bank undoubtably has multiple web applications that would also require authentication at the same source. I have versions of the swim lane in both configurations attached to the page in question [1]. I'll wait for a few more replies before I pull another swap. - Nick Hauenstein [1] http://cwiki.apache.org/confluence/pages/viewpageattachments.action?pageId=3474855
