Out of box ACS supports live.com as a trusted identity issuer which means we can use a token issued by live.com to login into ACS. Here I will show how can you achieve this using passive (browser based) federation.
Inside Application AuthenticateRequest method of Global.asax I added following code redirect my web app to ACS to get a new token.
protected void Application AuthenticateRequest(object sender, EventArgs e)
var fam = HttpContext.Current.ApplicationInstance.Modules["WSFederationAuthenticationModule"] as WSFederationAuthenticationModule;
fam.SignedIn += new EventHandler(fam SignedIn);
var identity = Thread.CurrentPrincipal.Identity as ClaimsIdentity;
if (identity != null)
fam.Realm = "http://zamd.net/";
fam.Reply = "http://localhost:50037/WebForm1.aspx";
fam.Issuer = @"https://accesscontrol.windows.net/passivests/Eval01/livefederation.aspx";
string homeRealmSts = @"http://login.live.com";
String uniqueId = Guid.NewGuid().ToString();
SignInRequestMessage signInMsg = fam.CreateSignInRequest(uniqueId, fam.Realm, false);
// Redirect to the ACS passive STS for token issuance
Because here I specified live.com as my home realm, ACS will redirect me to live.com and actual login will take place there. After the succesful login, live.com will redirect me back to ACS with a token (issued by live.com). As ACS trusts this token, issued by live.com. It then runs it’s claims transformation logic (based on the claims issued by live.com) to generate a final token (issued by ACS). ACS then redirects the browser back to the Reply URI (my web app) along with final SAML token. Once back in my app, WSFederationAuthenticationModule, will see this new token and after verifying the issuer etc, it will use it to log me into my application.
Inside Application Start method, I [mis]configured various bits to make it work on test environment.
protected void Application Start(object sender, EventArgs e)
FederatedAuthentication.ServiceCertificate = GetACSCert();
FederatedAuthentication.IssuerNameRegistry = new TrustAllRegistry();
var saml11Handler = FederatedAuthentication.SecurityTokenHandlers[typeof(SamlSecurityToken)] as Saml11SecurityTokenHandler;
if (saml11Handler != null)
saml11Handler.SamlSecurityTokenRequirement.AudienceUriMode = System.IdentityModel.Selectors.AudienceUriMode.Never;