How to map an external identity e.g Yahoo to an internal AD identity using ADFS

Imagine I have ADFS sitting on top of AD and lots of internal users who log in to a claims-aware application and get claims from the AD.

At the same time we have external users who have to first register and then subsequently login with their registered external identity.

Azure ACS is a STS that I can federate with ADFS. This allows external users to log in using Yahoo / Facebook / Google etc.

Now imagine that we want to allow existing external users to be able to login with e.g. their existing Yahoo account.

How do I associate e.g. their Yahoo credentials with the information th开发者_如何学JAVAat is stored in the AD?

What information would be required for new external users when registering so that they could select e.g. their existing Yahoo account as their login yet still be able to find their correct identity within AD?

No response so asked the question on the Claims based access platform (CBA), code-named Geneva forum.

Summary: For existing users, they would have a facility to associate their existing account with a web identity.

For new users, they would be asked if they wanted to use an existing identity or pick a specific one for this site.