I have created the setup that I believe you are trying to achieve. So I have Portal1 and Portal2. Both portals are set to authenticate users agains idsrv2 (thinktecture identityserver) and are set to use HRD. Idsrv2 is set to delegate authentication of users through HRD to idsrv (thinktecture identityserver).
The configuration of Portal1 web.config (only the important part) is
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://localhost/Portal1/" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://idsrv2">
<keys>
<add thumbprint="BCD339ECD62BC50DEDA3B54D2236D12AE1217687" />
</keys>
<validIssuers>
<add name="http://idsrv2" />
</validIssuers>
</authority>
</issuerNameRegistry>
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://localhost/idsrv2/issue/hrd" realm="https://localhost/Portal1/" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>
And configuration of Portal2 (also important parts only) is:
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://localhost/Portal2/" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="http://idsrv2">
<keys>
<add thumbprint="BCD339ECD62BC50DEDA3B54D2236D12AE1217687" />
</keys>
<validIssuers>
<add name="http://idsrv2" />
</validIssuers>
</authority>
</issuerNameRegistry>
<!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
<certificateValidation certificateValidationMode="None" />
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" />
<wsFederation passiveRedirectEnabled="true" issuer="https://localhost/idsrv2/issue/hrd" realm="https://localhost/Portal2/" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>
Now, configuration of idsrv (the parts I believe are important):
And finally the configuration of idsrv2:
And last the network flow when authenticating on Portal1