When I' am developing claims aware WCF application like yours, I ran through this link that makes me understood how it works. The only thing that is not quite similar to your needs is that it is not ADFS 3.0.
And I don't think you can use both ADFS for internal user and SQL for external "like membership" at the same time/together. All I know is that you can trust other company's ADFS as other identity provider.
If you are referring to How to Build Claims Aware WCF here are some available links.
Nonetheless, the link is still active that support .Net 4.5 & 4.6 and WIF is already part of the framework unlike before that you need to install WIF.
Below is the fragment of my WCF Service configuration :
Bindings
<bindings>
<ws2007FederationHttpBinding>
<binding name="ws2007FederationHttpBinding">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false" negotiateServiceCredential="false">
<issuerMetadata address="https://<adfs server>:9643/adfs/services/trust/mex"/>
<issuer address="https://<asfs aserver>:9643/adfs/services/trust/13/usernamemixed"/>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
</bindings>
Identity Configuration
<system.identityModel>
<identityConfiguration name="serviceidentity">
<audienceUris mode="Never">
<add value="https://localhost/FedSecurity/"/>
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://<asfs aserver>:9643/adfs/services/trust">
<keys >
<add thumbprint="8D6BF173ERERERFDFE9CE9CD0FB57FB57A5D68403EA88" name="http://<asfs aserver>:9643/adfs/services/trust" />
</keys>
<validIssuers>
<add name="http://<asfs aserver>:9643/adfs/services/trust" />
</validIssuers>
</authority>
</issuerNameRegistry>
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
Fragment Configuration of my WCF Client
<system.serviceModel>
<bindings>
<ws2007FederationHttpBinding>
<binding name="ws2007FederationHttpBinding">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false">
<issuer address="https://<adfs server>:9643/adfs/services/trust/13/usernamemixed"
binding="ws2007HttpBinding" bindingConfiguration="https://<adfs server>:9643/adfs/services/trust/13/usernamemixed" />
<issuerMetadata address="https://<adfs server>:9643/adfs/services/trust/mex" />
<tokenRequestParameters>
<trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
<trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
<trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
<trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
<trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
<trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
<trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
</trust:SecondaryParameters>
</tokenRequestParameters>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
<ws2007HttpBinding>
<binding name="https://<adfs server>:9643/adfs/services/trust/13/usernamemixed">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName" establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<client>
<endpoint address="https://localhost/FedSecurity/CloudService.svc"
binding="ws2007FederationHttpBinding" bindingConfiguration="ws2007FederationHttpBinding"
contract="CloudBeta.ICloudSevice" name="ws2007FederationHttpBinding" />
</client>
</system.serviceModel>
Additional info :
- I used ADFS 2.0 with UserName authentication with credential added in
our active directory
- Adding of relying Party was not discuss here but needed.
- Certificate for token encryption/decryption is also required ( Party of AFDS )
- Adding of claims in ADFS
I hope this information would help you!