We minted a SAML assertion using our local STS. And then we sent it, per the instructions of others, to ACS. Before that we had imported the metadata of our STS into ACS and assigned this new issuer to a given RP.
Note that the audience field of the assertion must TARGET ACS namespace (not the scope of the RP). Below, we see the result of asking the wrap endpoint to translate the above “set of claims” (verified as an endorsing token almost, to produce some claims).
One must give a scope to the request, to which the issuer has been bound (and rules assigned).
Since this RP has the JWT token type assigned, I was half expecting a JWT back (note). Perhaps, next, I should try this variant of the code:
Posting to the oauth endpoint does indeed return a JWT:
Going to guess its important that the RP has a rule set with a rule for ACS, and pass through set for all attributes.