I am supporting a solution which acts as an IDP and STS in one. Think of it as a MVC app with simple, local authentication. I would like to put a link on a page in my site that build a SAML payload and ships it through ACS and then on to a partner's site (which uses WIF to read incoming SAML2 payloads from ACS). I don't want to show another login page during the journey because by the time they are clicking my link they have already been authenticated. I just want to send claims to the destination Relying Party Url.
I can make this work by logging in to the Service Namespace site and choosing Application Integration. The custom login page for a Relying Party features a URL for a Javascript file (IdentityProviders.js) that, when loaded, provides a LoginUrl as one of the JSON parameters. LoginUrl contains a wctx parameter (that looks to be encrypted or something) that I copy and then use like this:
private SignInRequestMessage GetSignInRequestMessage() {
SignInRequestMessage aMessage = new SignInRequestMessage(new Uri("https://something.accesscontrol.windows.net/"), "http://accesscontrol.windows.net/");
aMessage.Reply = "http://localhost:65447/Home/SAML";
aMessage.Realm = "https://something.accesscontrol.windows.net/v2/wsfederation";
aMessage.Context = THE_WCTX_PARAM_I_GRABBED;
return aMessage;
}The end result is that my link click carries me all the way through to the landing page within the Relying Party (http://localhost:65447/Home/SAML in this case), passing through ACS which allows for claim mapping and filtering and signature and encryption support.
I notice that when I change the Return URL in the corresponding Relying Party the wctx value is changed just slightly.
My goal is to be able to build that wctx parameter programatically without having to grab a magic string. Can anyone offer advice?
Thanks,
Josh