I am struggling with the configuration for the scenario below.

• I have a custom WCF/WIF STS (RP-STS) that provides security tokens to my WCF services
• RP-STS is an "Active" STS
• RP-STS acts as a claims transformation STS
• RP-STS trusts tokens from many customer-specific identity provider STSes (IdP-STS)
• When a WCF Client connects to a service it should authenticate with it's local IdP-STS

The reading that I've done describes this as Home Realm Discovery. HRD is usually described within the context of web applications and Passive STSes. My questions is, for my situation, does the logic for choosing an IdP-STS endpoint belong in the RP-STS or the WCF Client application?

I thought it belonged in the RP-STS, but I cannot figure out the configuration to make this happen. RP-STS has a single endpoint, but I cannot figure out how to add more than one trusted issuer per endpoint.

Any guidance on this would be very appreciated (I'm out of useful keywords to Google.) Also, if I'm way off please offer alternative approaches.

Thanks!