AD FS publishes two different issuer values in the public https://<domain>/adfs/.well-known/openid-configuration : One is called 'issuer' the other is 'accesstokenissuer' - the accesstokenissuer is optional in the standard. The value that is issued in the access token iss claim is always the 'accesstokenissuer' some clients (.Net ones) validate the access token against the 'accesstokenissuer' others (using open source libraries) will only validate against the 'issuer'
It would be great if I could select per relying party which value is returned in the access token iss claim.