Adding a new WIF/ACS/ADFS role without reloading config

I have a Windows Azure application that is using Windows Identity Foundation (WIF) with the Access Control Service (ACS) as its Identity Provider.

ACS, in turn, is configured to use ADFS as its Identity Provider.

I've created a new custom claim in ADFS and am having trouble propogating it through to the app.开发者_运维技巧 Without reloading the FederationMetadata for the Identity Provider (which will drop all of the existing rules, so the warning tells me), does anyone know what I need to do?

I've added a new rule to ACS to pass through the custom claim.

I've added the new claim to the section in web.config to let WIF know that I'm interested in the new claim.

But so far, there's no sign of my new claim. Diagnosing the issue seems to be nigh-on impossible.

Any ideas would be gratefully received!

Logging is probably your best bet:

For ADFS:

How to Enable Debug Logging for Active Directory Federation Services 2.0 (AD FS 2.0)

Diagnostics in AD FS 2.0

For WIF:

WIF Tracing

Windows Identity Foundation Samples–Trace is Your Friend

Also, try restarting ADFS:

ADFS : Stop / start ADFS v2.0

Both ADFS and Azure have Powershell cmdlets to extract info:

Try running the RP and claims ones and see what info. is displayed.

Using Windows PowerShell for AD FS 2.0

Announcing: Sample ACS Cmdlets for the Windows Azure AppFabric Access Control Service

This is likely to be a misconfiguration in ADFS. Are you sure ADFS is issuing the new custom claim? Agree w/ @nzpcmad in enabling ADFS logging.

This is usually not needed:

I've added the new claim to the section in web.config to let WIF know that I'm interested in the new claim.