WS-Federation application registration

FoxIDs WS-Federation application registration enables you to connect a WS-Federation based web application.

Your application becomes a WS-Federation relying party, and FoxIDs acts as the Security Token Service (STS). FoxIDs receives passive sign-in requests from the application and returns a SAML token in a WS-Federation sign-in response.

WS-Federation application registrations are typically used for Microsoft Entra ID domain federation as an AD FS replacement, AD FS relying party trusts, SharePoint, Dynamics, older ASP.NET WS-Federation middleware, and generic WS-Federation applications.

FoxIDs supports Federation Metadata, passive sign-in, sign-out, and sign-out cleanup notifications. A session is established when the user authenticates and is invalidated during logout.

How-to guides:

Configuration

How to configure your application as a WS-Federation relying party.

Metadata endpoints

  • STS metadata: https://foxids.com/tenant-x/environment-y/application-wsfed1(*)/wsfed/stsmetadata (replace tenant-x, environment-y, and application-wsfed1 with your values).

An application registration can support login through multiple authentication methods by adding the authentication method name to the URL.

For example, https://foxids.com/tenant-x/environment-y/application-wsfed1(login)/wsfed/stsmetadata targets the login method. You can also use the default * notation to enable login with all authentication methods.

The following screenshot should show a FoxIDs WS-Federation application registration in the FoxIDs Control Client. The registration can be created manually, from a metadata URL, or by importing a metadata file. Issued claims are limited to the configured set of claims, and you can use the * notation to issue all claims.

More configuration options become available by clicking Show advanced.

Reply URLs and realm

The application sends its realm in the wtrealm parameter. FoxIDs validates the realm against the configured application realm.

The reply URL is where FoxIDs sends the WS-Federation sign-in response. One or more reply URLs can be configured. If metadata contains more than one passive requestor endpoint, make sure only the real application reply endpoints are configured as reply URLs.

Sign-out

The application can send a WS-Federation sign-out request to FoxIDs. FoxIDs can also send sign-out cleanup notifications to the application if a sign-out URL is configured.

When importing metadata, FoxIDs uses fed:SingleSignOutNotificationEndpoint as the sign-out URL if present. Otherwise FoxIDs can use the first fed:PassiveRequestorEndpoint as the sign-out URL for AD FS compatibility.

Token type

FoxIDs can issue:

  • SAML 1.1
  • SAML 2.0

SAML 1.1 is the default token type because it is widely used by WS-Federation applications and AD FS. SAML 1.x metadata token type aliases are treated as SAML 1.1.

Token signing and encryption

FoxIDs signs WS-Federation tokens. The signing certificate is the environment certificate.

The application registration can be configured with one or more encryption certificates. If encryption is configured, FoxIDs encrypts the assertion before returning it in the WS-Federation response.

Claims

FoxIDs issues default claims and claims added in the Issue claims list. All claims are issued if you add * to the Issue claims list.

WS-Federation tokens contain SAML claims. FoxIDs converts JWT claims to SAML claims when issuing the token to the application.

You can change SAML claim collections and implement claim tasks with claim transforms and claim tasks. If you create a new claim, add the claim or * to the Issue claims list to issue the claim to your application.

Dit privatliv

Dit privatliv

Vi bruger cookies til at gøre din oplevelse på vores websites bedre. Klik på 'Acceptér alle cookies' for at acceptere brugen af cookies. For at fravælge ikke-nødvendige cookies, klik på 'Kun nødvendige cookies'.

Besøg vores privatlivspolitik for mere