I have an application that authenticates against ADFS 2 via WS-Federation. I look for a specific claim when I get the response back from ADFS and based on that claim, I am able to authorize the user into my application. I want to create an enhancement in which when a user authenticates against ADFS and comes back to my application WITHOUT the claim I require, that I redirect them back to the Identity Provider (ADFS), but this time FORCING them to provide their credentials again. I wrote my code to detect an authenticated user that is missing the claim I require and sends them back to reauthenticate, this time sending along the "Freshness" parameter (wfresh=0). I was under the impression that this would prompt the user for credentials but it seems to just reuse the original credentials which, of course, causes an infinate loop (that ADFS halts.) How can I achieve this?
My URL looks like this when I send them back to the IdP after not having the required claim:
https://somedomain.com/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=https%3a%2f%2fanotherdomain.com%2flogin.ashx&wreply=https%3a%2f%2fanotherdomain%2flogin.ashx&wctx=1106273&wfresh=0