Assuming mixed mode security (i.e. layer 7 blobs sent over layer 4 ssl), which is the better service-side implementation strategy: do NOT declare a service cert, or declare one and expose a DNS/cert identity claim for the endpoint?
if you look at ACS' own mex metadata, there are *no* identity claims attached to the endpoint addresses/references. If you think about it, why would blobOverTransport (mixedmode) even required a layer 7 "messaging-centric" service cert?
I one does impose it, it seems to give problems, re id validation DURING server=side processing. The issues are "not intuitive"
My *impression* is that IF you assign a behavior with a service cert to a mixed security endpoint, various messaging-level controls are imposed then - when preparing the output response (post GetScope). And these can induce some of WCF/WIFs horrid panoply of miserable error messages, including things discussing dns claims (that seem to be induced by incompability between service cert CN fields and endpoint identity DNS value declarations). As usual in WIF/WCF world, the error messages are worse than the error (being totally misleading).
So, if ALL I WANT IS username blob over https, accompanying an RST, should I have the STS NOT declare a service cert for the service/endpoint.
(this seems to be what thinktecture does, for (only) mixed mode).