This looks promising:
http://social.technet.microsoft.com/wiki/contents/articles/3910.extending-the-error-diagnostics-of-adfs.aspx
One really helpful aspect of ADFS is that there is a code-level capability in the ASPX pages that ship with ADFS. These can be helpful for adding code to use a default home realm or alter the behavior of ADFS for custom reasons. These also provide a simple way to do custom validation on the received SAMLResponses. This can also be used for manipulating the SAMLResponse prior to being consumed by ADFS for some capability that is not provided with ADFS.
Typically there will be several standard things to check for with incoming SAMLResponses and ADFS will do this as well but may not always give you a human readable or understandable error message. Some examples of these are:
- Check for signature as ADFS is configured (correct algorithm, correct certificate used)
- Check for encryption as ADFS is configured
- etc...
Checking for these typical details in a received SAMLResponse will help you to identify the problem so that your partner can handle the problem quickly.
One common request is to be able to log the SAMLResponse to a database for every request received by ADFS. To do this, simply add some code to the global.asax.cs file such as the following snippet:
public void Application_BeginRequest()
{
HttpRequest request = HttpContext.Current.Request;
HttpResponse response = HttpContext.Current.Response;
if (!String.IsNullOrEmpty(request["SAMLResponse"]))
{
SaveSamlResponseToDB(request["SAMLResponse"].ToString());
}
}
After doing this you can manipulate the SAMLResponse and do custom validation on it. This provides a mechanism for doing additional validation beyond what ADFS current does and is very helpful for various testing scenarios.