Windows Azure ACS allows for federated identification from outside agencies such as a Microsoft account or Facebook. Which entity issues the final token that your application will accept for access?