I have an Azure ACS set up. I have several IP's configured; one of which is a custom STS. The "passive" scenario - in which browser redirects are used to get the token from the ip to acs and back again to my RP - works like a charm.
In the passive scenario it is possible to use the homerealm to "guide" the ACS towards the IP-STS of my choice.
I am wondering now whether something similar is possible in the active scenario. More specifically : can I retrieve a token from ACS by providing a username and a password (and some id of the IP that will handle the user-name password) to ACS.
(I want to keep knowledge about the custom STS out of my clients so I'm not asking the custom STS for a token directly)
Ok, i found it. I need a two-way process. First request a token on the custom sts using a username and password (with audience set to the correct endpoint of the acs sts). Next "exchange" this token for a token issued by the ACS as in : https://stackoverflow.com/questions/13675217/exchange-ip-sts-jwt-token-for-acs-jwt-token