How does ADFS decide whether to trust a given WSFederation signin request and post a token back to my passive token issuer? Is it the entity id from federation metadata? Does the entity id get used in the wsfederation signin message?
Also, I have a little confusion about the signing/encryption certs advertised by my federation metadata and displayed in the claims trust configuration pages of ADFS.
Do the certs on the "Encryption" and "Certificate" tabs represent the certs that will be used by ADFS for encryption and signing the ADFS generated token or is that configured some place else in ADFS? For my custom ASP.NET MVC issuer, want to configure ADFS to sign with it's own cert and encrypt with my cert but not entirely sure how to do this in the MMC tool.
thanks