This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Configuring WS-Federation

WS-Federation (Web Services Federation) describes the management and brokering of trust relationships and security token exchange across Web services and organizational boundaries. WS-Federation is a part of the larger WS-Security framework. For example, WS-Federation builds on the Security Token Service (STS) by providing mechanisms that facilitate interactions. In the WS-Federation Model, an Identity Provider is a Security Token Service (STS). Service Providers depend on an Identity Provider or Security Token Service to do the user authentication. OAuth is an important protocol for IdP services as most major Web services are also identity providers, mainly through the use of OAuth. These Web services include Google, Facebook, Yahoo, AOL, Microsoft, PayPal, MySpace, and Flickr among much more. Furthermore, all major email providers offer OAuth IdP services.

In most instances it is necessary to secure the Security Token Service. According to the Trust Brokering model defined in the WS-Trust specification, the subject (user) should authenticate himself to the STS before obtaining a token. STS may use this authentication information when constructing the security token. For example, STS may populate the required claims based on the user name provided by the subject.

To navigate to the federated authenticators configuration section, do the following.

  1. Sign in. Enter your username and password to log on to the Management Console
  2. Navigate to the Main menu to access the Identity menu. Click Add under Identity Providers.
    For more information, see Adding and Configuring an Identity Provider.  
  3. Fill in the details in the Basic Information section. 

  1. Expand the WS-Federation (Passive) Configuration form.
  2. Fill in the following fields where relevant.

    FieldDescriptionSample value
    Enable Passive STSSelecting this option enables Passive STS to be used as an authenticator for users provisioned to the Identity Server.Selected
    DefaultSelecting the Default checkbox signifies that Passive STS is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
    Passive STS RealmThis is used as an identifier for the realm and can be any value.WSFederationHealthCare
    Passive STS URL

    When sending the authentication request, there is a request for a security token generated by WS-Trust.

    As long as the federated IdP is the WSO2 Identity Server, this URL must follow this format: https://(host-name):(port)/acs 

    https://localhost:9443/passivests/
    Passive STS User ID LocationSelect whether the User ID is found in 'Name Identifier' as part of the authentication request or if it is found among the claims. This specifies how the user is identified.User ID found in 'Name Identifier'
    Additional Query ParametersThis is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by this IS or application so these can be specified here.paramName1=value1


  • Identity Federation is part of the process of configuring an identity provider. For more information on how to configure an identity provider, see Configuring an Identity Provider.