We have an ASP.NET application using Forms authentication (ASP.NET Membership). Now we would want to make it to be claim-aware ASP.NET application in below scenario:

1. ADFS acts as an IP-STS for intranet (AD) users
2. If AD User is not mapped to ASP.NET Membership User or mapped ASP.NET Membership User does not have permission to access application --> Fallbacks to form authentication (an external IP-STS)
3. If end-user accesses the application from outside the domain, we don't want ADFS to prompt for Windows Credentials. We would like redirect end-user to out external IP-STS using form authentication.

Is this scenario achievable? Or is there any other possible solution? And how should I setup/configure my application?

Thanks

The classic solution to this problem is to have two ADFS with a split DNS.

Internal users redirect to an ADFS in the Intranet configured for WIA.

External users redirect to an ADFS in the DMZ configured for FBA.

For your second point, not clear if internal or external user.

If external (i.e. FBA) then you can modify the Forms login page, access AD yourself and redirect appropriately.