> So unless I am mistaken, I guess I need to yell at them both about their > invalid ACS binding and about their request for a delegated token? Yes, nothing I can do about the latter. That's literally how you get a delegated token. We will be removing that code, but I should make sure we have something in place handling Audience at that point. -- Scott