WS-Federation authentication method

FoxIDs WS-Federation authentication method which trusts an external WS-Federation Security Token Service (STS) / Identity Provider (IdP).

WS-Federation is commonly used with AD FS, Microsoft Entra ID legacy WS-Federation applications, SharePoint, Dynamics, and older ASP.NET applications.

FoxIDs acts as a WS-Federation relying party and sends passive sign-in requests to the external STS. The external STS returns a SAML token in the WS-Federation response. FoxIDs validates the response, validates the token signature, converts SAML claims to JWT claims internally, and continues the sign-in flow to the application registration.

It is possible to configure multiple WS-Federation authentication methods which can then be selected by OpenID Connect application registrations, SAML 2.0 application registrations, and WS-Federation application registrations.

FoxIDs supports WS-Federation sign-out and sign-out cleanup notifications (wsignout1.0 and wsignoutcleanup1.0) when sign-out is configured.

Configuration

How to configure an external WS-Federation Security Token Service (STS) / Identity Provider (IdP).

The FoxIDs WS-Federation authentication method metadata endpoint is https://foxids.com/tenant-x/environment-y/(some_external_sts)/wsfed/applicationmetadata. If the STS is configured in tenant tenant-x and environment environment-y with the authentication method name some_external_sts.

The authentication method can be configured in three ways:

  • Read the external STS Federation Metadata from a metadata URL and keep the configuration automatically updated.
  • Import a Federation Metadata XML file once and edit the imported values afterwards.
  • Configure the issuer, passive sign-in URL, sign-out URL, token type, and signature validation certificates manually.

More configuration options become available by clicking Show advanced.

Metadata

FoxIDs can read Federation Metadata from the external STS. If automatic metadata updates are enabled, FoxIDs periodically reads the metadata and updates endpoints, token type, and signature validation certificates.

If the metadata endpoint becomes unavailable for a period of time, FoxIDs stops the automated update process. It can be restarted by updating the authentication method in FoxIDs Control Client or API.

The FoxIDs generated Federation Metadata describes FoxIDs as a WS-Federation application service and includes the reply URL, sign-out URL, token type, and encryption certificate where relevant.

Token type

The authentication method can accept:

  • SAML 1.1
  • SAML 2.0

SAML 1.1 is the default token type. SAML 1.x metadata token type aliases are treated as SAML 1.1. If metadata contains a token type, FoxIDs can read it during metadata import. If the received token type differs from the configured token type, FoxIDs logs the difference.

Claims

The authentication method only forwards default claims and claims added in the Forward claims list to the application registrations. All claims are forwarded if you add * to the Forward claims list.

WS-Federation tokens contain SAML claims. FoxIDs converts those claims to JWT claims internally before continuing the flow.

You can change the claims and implement claim tasks with claim transforms and claim tasks.

Additional parameters

The authentication method can send additional custom parameters in the WS-Federation sign-in request. Additional parameters can be configured on the authentication method and on profiles. Profile values override authentication method values with the same name.

Tu privacidad

Tu privacidad

Usamos cookies para mejorar tu experiencia en nuestros sitios web. Haz clic en «Aceptar todas las cookies» para aceptar su uso. Para rechazar cookies no esenciales, haz clic en «Solo cookies necesarias».

Visita nuestra política de privacidad para saber más