I was having some issues today with a WS Federation implementation using a passive STS. I was logging onto the STS but when the browser redirected back to the client after a login, the client rejected the token and redirected me back to the STS again. There was no error message and after searching online for a bit i found a way that I could possibly debug the WIF process.
I found this trace for WIF which helped me to trace WS Federation issues as well. Once I saw the error “The issuer of the security token was not recognized by the IssuerNameRegistry” I immediately recognized it and knew what to do.
Add the following to the client web config.
<system.diagnostics> <trace autoflush="true"/> <sources> <source name="System.IdentityModel" switchValue="All"> <listeners> <add name="xml" type="System.Diagnostics.XmlWriterTraceListener" initializeData="F:\Websites\ClientWIFLog.xml" /> </listeners> </source> </sources> </system.diagnostics>
It will produce a xml file that looks like this and from it, it should be easier to identify what is going on internally.