I remember there's some custom SAML token generation code in one of the ACS samples. That would be a good place to start. You can download it here, look for the OAuth2CertificateSample, SelfSignedSaml2TokenGenerator.cs. The code looks like this:

/// <summary>
/// Creates a SAML assertion signed with the given certificate.
/// </summary>
public static Saml2SecurityToken GetSamlAssertionSignedWithCertificate(String nameIdentifierClaim, byte[] certificateWithPrivateKeyRawBytes, string password)
{
    string acsUrl = string.Format(CultureInfo.InvariantCulture, "https://{0}.{1}", SamplesConfiguration.ServiceNamespace, SamplesConfiguration.AcsHostUrl);

    Saml2Assertion assertion = new Saml2Assertion(new Saml2NameIdentifier(nameIdentifierClaim));

    Saml2Conditions conditions = new Saml2Conditions();
    conditions.NotBefore = DateTime.UtcNow;
    conditions.NotOnOrAfter = DateTime.MaxValue;
    conditions.AudienceRestrictions.Add(new Saml2AudienceRestriction(new Uri(acsUrl, UriKind.RelativeOrAbsolute)));
    assertion.Conditions = conditions;

    Saml2Subject subject = new Saml2Subject();
    subject.SubjectConfirmations.Add(new Saml2SubjectConfirmation(Saml2Constants.ConfirmationMethods.Bearer));
    subject.NameId = new Saml2NameIdentifier(nameIdentifierClaim);
    assertion.Subject = subject;

    X509SigningCredentials clientSigningCredentials = new X509SigningCredentials(
            new X509Certificate2(certificateWithPrivateKeyRawBytes, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable));

    assertion.SigningCredentials = clientSigningCredentials;

    return new Saml2SecurityToken(assertion);
}

Also, the authentication process doesn't require issued claims to be described in federation metadata. The claims published in federation metadata are only hints for the token consumer as to what they should expect to find in the issued token.