This is not a bad design, this is your requirement, and you are trying to fulfill it. We have a working system built in this way, and this is not rocket science. The only difference is that we switch it to / sam forms statically (using global settings), and not dynamically.
In any case, you save the authentication of your forms in web.config so that in the absence of authorization for the current user, the forms redirect the request to the login page.
On the login page, you have two options. One of them creates cookie forms. Another option involves managing WIF FederatedPassiveSignIn .
If the user monitors forms authentication, the cookie is set and everything is ready. If the user follows the STS control, sooner or later he will return with a valid SAML token. FederatedPassiveSignIn will automatically pick it up and you simply handle the redirect in the SignedIn event.
You donโt even need the if you mentioned in your question.
There is one caveat from what I remember. When a user authenticates with STS, a WS-Federation cookie is created, you can read statements, etc. Everything works.
However, if the user is authenticated by forms, SAM (SessionAuthenticationModule) will WRITE cookies of WS-federation form files in the ASP.NET pipeline at the request of EACH (I assume because SAM is later in the pipeline that forms the authentication module).
This DOESN'T LET IN your context.User.Identity.IsInRole(...) , also authorization works correctly, because SAM copies user roles to the corresponding statements.
However, if anywhere in your code you are trying to extract information directly from a forms cookie (instead of using the common APIs), you may find out that cookies are not present even if the user has been authenticated by forms in the first place (and there is no cookie because it will be replaced by the WS-Federation cookie).