...
In order to authenticate with a security token service, CRM expects federation metadata that contains specific details about the service. It requires the certificate that the STS uses to sign the responses as well as the passive STS endpoint for the WSO2 server, in addition to the claims expected. A sample file can be found inside <IS_HOME>/repository/deployment/server/webapps/mex directory. This file needs to be hosted somewhere accessible to the CRM server. For the purposes of testing this scenario, you can add it to the wwwroot folder for easy access.
Once the metadata XML is in place, and assuming all the certificates have been placed correctly on the servers if they differ between the Identity Server and CRM, claims based authentication can be enabled from the CRM deployment wizard. The federation metadata URL should point to the file that was created above.
...