I have asp.net application (for example myhost.org/prod/app) which is behind reverse-proxy (for example proxy.org/app). There is configured ADFS passive redirect to ADFS and then back to reverse proxy. The problem is that proxy.org points to myhost.org/prod site and WIF out of the box generates wctx ru parameter which is "/prod/app/". So if you go via proxy.org/app it get redirected to ADFS and then back to proxy.org/app then WIF adds ru parameter and i get redirected to proxy.org/prod/app/.
If I override WSFederationAuthenticationModule.RedirectToIdentityProvider method so ru parameter is "/app/" then I get error message:
Server Error in '/prod/app' Application. ID3206: A SignInResponse message may only redirect within the current web application: '/app/' is not allowed.
I have similar application which doesn't use reverse-proxy, and there it works flawlessly. My question here is how to force WIF to understand that redirect happens within the same application? Or any other advice to make it working.
This is quite an old question, but if I remember correctly, we have simplified reverse proxy redirection to host. Instead of going from proxy.org/app to myhost.org/prod/app, redirection was made on root path so proxy.org started pointing to myhost.org. This resulted in correct redirection on application level. Later on we figured that there were multiple hoops configured for proxy.org/app which could have resulted in this unwanted behaviour.