For a Ip-STS acting like ADFS, where the ADFS windows integrated auth endpoint's binding looks like this:
<wsdl:port name="CustomBinding_IWSTrustFeb2005Async" binding="tns:CustomBinding_IWSTrustFeb2005Async">
<soap12:address location="https://sts.foo.com/adfs/services/trust/2005/windowstransport" />
<wsa10:EndpointReference>
<wsa10:Address>https://sts.rapattoni.com/adfs/services/trust/2005/windowstransport</wsa10:Address>
<Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
<Spn>host/sts.foo.com</Spn>
</Identity>
</wsa10:EndpointReference>
</wsdl:port>
what controls placement of the SPN line?
I though it would be an identity element, with spn child, and value host/sts.foo.com, in the web.config servicemodel, declaring the endpoint. but its not (enough).
Is placement in the WSDL controlled, perhaps by the IIS account running the app process having to actually have the claimed SPN?
can we assume that ADFS is running under the COMPUTER account (which presumably has the HOST spn)?