After a few more fiddles, we made our WCF client built from creating a service reference use a custom binding to talk to our custom STS and get by return an unencrypted saml assertion with asymmetric proof key. This is then used in a SOAP service call whose own bindings have the client sign the headers of the request to reverse a string and which have the server confirm both the signature’s public key is confirmed by the assertion and that the assertions own signature is backed by a certificate whose issuer is listed as a trusted issuer
The interaction with the STS is initiated automatically by the custom binding, using an ephemeral rsa key. It only works with v1.3 generation STS endpoints.
The client MUST have the interactive flag set to false (to avoid cardspace UI being sought):
And the client side binding must be modified from that auto-generated; to cite and to use a non-augmented-for asymmetric-keys ws-security binding when talking to the STS.
The service endpoints binding became (forcing the trust version):
and the service of the STS that accepts and handles the proof-signature on the RST with usekey fields had its binding put into an explicit namespace (so WDSL policies do not go into separate files).