Imagine you have a number of .NET applications going via ADFS as a RP-STS going to another IP-STS.
Now on the IP-STS you want to know which RP the authentication request is coming from.
All the ADFS requests are coming through one channel so parameters like "Referer: " are useless.
In your RP web.config you can add a parameter like wreply or wtrealm as per wsFederation.
You'll see these in the URL going to ADFS in the &wctx section. But there's nothing going to the IP-STS. ADFS "removes" them. Instead there is a &wctx which is a GUID.
And there is a cookie on the way which looks like:
where xxxyyy is Base64 encoded.
In ADFS 2.0, there was an entry in the web.config which told ADFS not to encode this information in a cookie but to send it as part of the query string - which makes for a lll-oon-nnn-ggg query string!
This entry was:
ADFSBut in ADFS 3.0 there is no actual web.config, You have to look in:
and there's a file called:
but it has no such entry.
The trick is to use PowerShell:
Set-AdfsWebConfig -ContextCookieEnabled $False