There is a lot here but my dilemma is complex. We are using WebEx Connect with Federation and ADFS 2.0 on our local side, SAML is the protocol - not WSFederation.
What I am trying to do is setup ADFS and the associated supporting pages such that by default, you will be routed from Webex back to integrated auth UNLESS you are coming from a mobile client, in which case you would be sent to forms auth. Webex Connect mobile apps for each of the phone platforms don't allow a browser style popup for authentication and demands a forms based auth. The PC-based full-blown client utilizes IE to perform auth so integrated works beautifully. However, it is really ridiculous that the mobile app is crippled in this way, especially since you can fire up the browser on the same phone and get auth'd, but that is neither here nor there. So.....
I can use formssignin.aspx or my own custom one, but it must be SAML, not wsfederation. It must be SP-initiated, so I cannot rely on Idpinitiated to do the work. One final requirement is that whatever SAMLResponse comes back must have AuthnContextClassRef set to a specific value REGARDLESS of which authenticationtype is used on the ADFS backend to perform the auth. This means that prior to sending the claim back, I'm guessing I'll have to spoof the AuthnContextClassRef value to be what is statically setup on the Webex side (which appears to be easy in my trial tests).
I originally thought I could accomplish this via a redirect using urlrewrite and sending you off to /adfs/ls/formssignin.aspx with UrlRewrite, but Paul Lemmers, in a different thread, enlightened me as to how the request comes in and that the formssignin.aspx (moreover, anything using the passive protocol) is looking for a Passive Logon Context which is created when you are first sent through the passiveprotocolhandler - which only happens if your authenticationtype was set to Forms first.
Any help would be greatly appreciated, btw, I've been searching nearly non-stop for days and have looked at every post I could find on this topic - there doesn't appear to be anyone publicly in the same boat in terms of needing SAML support for two different auth methods while using service provider initiated referals.
Thanks!
Michael