I'll answer my own questions in case anyone else is trying to make ACS work with CorpNet, or another entity that requires a site-specific certificate. My problem was a configuration issue. I got it to work, like this:
1.) Create an ADFS identity provider, using the following URL for the WS-Federation metadata:
2.) Create a relying party application as follows:
a.) Realm: Your application url (e.g.
b.) Token Format: SWT
c.) Identity Provider: The one you created in step #1.
d.) Token Signing Certificate: Create new 256-bit Symmetric Key (click the Generate button) with "Type: Symmetric Key" selected.
e.) Token Encryption Certificate: A .cer certificate file made by exporting your onboarded certificate without the private key (don't forget to include all chain certs in the export).
f.) Token Decryption Certificate: A .pfx certificate file made by exporting your onboarded certificate with the private key (don't forget to include all chain certs in the export).
g.) Rule Group: Use default or create a new one that utilizes your claims.
The problem that I had was that I thought I should set the token format to SAML 2.0 since that is what the CorpNet issuer uses. The SAML token was being returned but the toolkit app didn't know what to do with it. I didn't realize that the
ACS relying party can be set to SWT and the ACW will handle the conversion from SAML to SWT before returning it to your toolkit-based app. Once I had everything in place, the authentication went smoothly.