asp.net - WIF cross-domain on one IIS site, dynamically setting of realm -

we have lot of domains running on 1 iis website/apppool. right in process of implementing sso windows identity foundation.

in web.config realm has set with

<wsfederation passiveredirectenabled="true" issuer="http://issuer.com" realm="http://realm.com" requirehttps="false" /> 

my problem realm dependent on domain user accessed website on did set in global action filter this

var module = context.httpcontext.applicationinstance.modules["wsfederationauthenticationmodule"] wsfederationauthenticationmodule; module.realm = "http://" + siteinfo.domainname; 

my question is. when set realm this, set per user instance or application instance.

scenario.

user loads page , realm set domain.a.com.

user b logged in on domain.b.com , presses login.

since user loaded page before user b pressed login, user hit sts wrong realm set.

what happen here?

if not way set realm per user instance, there way it?

i have solved problem.

i set passiveredirectenabled false in web.config

i set mvc project use forms authentication, eventhough dont. redirected login controller return url everytime controller [authorize] run.

in login controller do

var module = httpcontext.applicationinstance.modules["wsfederationauthenticationmodule"] wsfederationauthenticationmodule; module.passiveredirectenabled = true;  signinrequestmessage mess = module.createsigninrequest("passive", returnurl, false); mess.realm = "http://" + request.url.host.tolower();  httpcontext.response.redirect(mess.writequerystring()); 

this not how should be, me feels windows identity foundation lagging behind, both in documentation , microsoft technology wise, no examples mvc.

for other mvc people recommend them not use fedutil wizard, , instead write code , configuration themself