I downloaded the sample login page from the ACS portal for my application, which is a html file. I then configured my application with WIF, and everything worked perfectly.

Since we need to handle and save an incoming querystring, so that querystring can be used later after the user had been logged in, we needed to move the html login page to a aspx page.

The problem is that when I change the issuer for WIF in the web.config file to the aspx file, it stops working. When it works it looks like this:

<certificateValidation certificateValidationMode="None" />
  <federatedAuthentication>
    <wsFederation passiveRedirectEnabled="true" issuer="http://localhost:81/acstest/WebSiteAdvancedACSLoginPageCode.html" realm="http://localhost:81/acstest/" requireHttps="false" />
    <cookieHandler requireSsl="false" />
  </federatedAuthentication>

But then when I change it to my aspx page, where I just moved all the code in the html page into, I cant even load the page:

<certificateValidation certificateValidationMode="None" />
  <federatedAuthentication>
    <wsFederation passiveRedirectEnabled="true" issuer="http://localhost:81/acstest/WebSiteAdvancedACSLoginPageCode.aspx" realm="http://localhost:81/acstest/" requireHttps="false" />
    <cookieHandler requireSsl="false" />
  </federatedAuthentication>

When I then run with the aspx file configured I can see in fiddler that something isn't right, It tries to a get, and keeps getting "object moved to here:" This is the get request:

GET http://localhost:81/acstest/WebSiteAdvancedACSLoginPageCode.aspx?wa=wsignin1.0&wtrealm=http%3a%2f%2flocalhost%3a81%2facstest%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252facstest%252fWebSiteAdvancedACSLoginPageCode.aspx&wct=2011-11-23T09%3a33%3a30Z HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: sv-SE
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: localhost:81
Cookie: ACSChosenIdentityProvider-10001951=Google

In the end it throws an exception that the querystring is too long. The error and warning of the request:

MODULE_SET_RESPONSE_ERROR_STATUS

ModuleName UrlAuthorization

Notification AUTHORIZE_REQUEST

HttpStatus 401

HttpReason Unauthorized

HttpSubStatus 0

ErrorCode Åtgärden har slutförts. (0x0)

ConfigExceptionInfo

Any feedback or alternativ solution is appretiated.

The "issuer" should still be ACS, not your site (unless you implement your own STS, which doesn't look like you want to). Issuer == STS in WIF configuration.

The best candidate to preserve state (e.g. urls, etc) across the token negotiation (which happens through redirects) is through the wctx parameter. You can set this programatically.

Look at the sample #7 from this download: http://www.microsoft.com/download/en/details.aspx?id=27289

Chapter: http://msdn.microsoft.com/en-us/library/hh446534.aspx from this Guide: http://msdn.microsoft.com/en-us/library/ff423674.aspx

The code looks like this (fragment):

var returnUrl = GetReturnUrl(context.RequestContext);

// user is not authenticated and it's entering for the first time
var fam = FederatedAuthentication.WSFederationAuthenticationModule;
var signIn = new SignInRequestMessage(new Uri(fam.Issuer), fam.Realm)
                {
                    Context = returnUrl.ToString(),
                    Realm = string.Format("https://localhost/f-shipping.7/{0}", organizationName)
                };

context.Result = new RedirectResult(signIn.WriteQueryString());