We have a SSO setup between SAP Netweaver and ADFS (acting as the STS).
So, some user will login on a custom application (ASP.Net) and this application will request a SAML assertion from ADFS to access the SAP system.
The thing is, according to SAP documentation the relying party identifier of the SAP system is not an URL (its just a name), and that way is specified en ADFS (eg: SAPSYSTEMRPID).
Now, how in earth i can get a token issued using WS-TRUST (which is what ADFS provides) when the AppliesTo field requires an Uri? Is there a default scheme, some convention?
I've been beating my head against the table for days now. I am obviously missing simething
Well, to close my own question after so much.
In the end the problem was ADFS naming of Relying Parties, once we switched the name to an URL (which took some convincing) it started working.
ADFS should be string in the name format for the RP identifier.