WsFederation incorrectly redirecting sign-in to /

I'm trying to use WsFederation on a "SSO Site" to authorize across a family of apps on the same domain. In my test configuration, I have the following setup:

SSO Site

example.com/SSOSite

Wtrealm is https://example.com/SSOSite

Wreply is https://example.com/SSOSite/signin-wsfed

Sample App

example.com/SampleApp

Wtrealm is https://example.com/SSOSite

Wreply is https://example.com/SSOSite/signin-wsfed?appName=SampleApp

Expected Result

  1. An unauthenticated user navigates to example.com/SampleApp
  2. The user is redirected into the Microsoft SSO login flow for example.com/SSOSite
  3. Login process completes, sends user to example.com/SSOSite/signin-wsfed?appName=SampleApp
  4. SSO Site application handles redirect back to Sample App site

Actual Result

In step 3 above, /signin-wsfed responds with a 302 pointing at / - that is, the root of example.com.

If I go directly to example.com/SSOSite, it completes the login as expected and /signin-wsfed passes control along to my own login controller method. It's only when the request begins at /SampleApp that signin-wsfed responds with the 302 to /

My Question

Why does this 302 to / happen? Is there a way to accomplish what I'm aiming for - using one realm to handle all logins and then send the user back to their desired application when the login completes?

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum