I have setup ACS on Azure and enabled WIF on my MVC 4 site hosted on Azure. I also made a Windows Store App.

To be able to login from my windows store app i had to put this controller on the website to redirect the login to the webauthenticationbroker in the metro app.

public HttpResponseMessage Post()
        {
            var data = this.Request.Content.ReadAsFormDataAsync();
            var test = data.Result;

            var response = this.Request.CreateResponse(HttpStatusCode.Redirect);
            var identity = ((ClaimsIdentity)((ClaimsPrincipal)HttpContext.Current.User).Identity);
            var token = data.Result["wresult"];

            response.Headers.Add("Location", "/api/federation/end?acsToken=" + "hello");

            return response;
        }

There is two problems.
1) I cant return the token to Metro because its to long. A big xml with claims. What is it i should send to my client?

2) When i use WebAuthenticationBroker.AuthenticateAsync – if i want to use the following url to login(it pops up and people can pick what provider to use) the return url needs to be set on the ACS management site. It need to point to my controller /mysite/federation/.

https://traffictheory.accesscontrol.windows.net:443/v2/wsfederation?wa=wsignin1.0&wtrealm=/mysite/

and if i dont have this return url set to /mysite/ the authentication do not work on the mcv site.

I found one solution, setting the return url to /mysite/ and then in the windows store app i need to parse the identifiers myself.

    var client = new HttpClient();
    var response = await client.GetAsync("https://traffictheory.accesscontrol.windows.net:443/v2/metadata/IdentityProviders.js?protocol=wsfederation&realm=/mysite/&reply_to=/mysite/federation&context=&request_id=&version=1.0&callback=");
    var result = await response.Content.ReadAsStringAsync();

and pass a provider login to the authentication broker.

Is there another way?