WS-Federation Identity Providers

Updated: June 19, 2015

Applies To: Azure

WS-Federation identity providers are custom identity providers that support the WS-Federation protocol and are configured in Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS) using WS-Federation metadata. A WS-Federation identity provider may also support other federation protocols, such as WS-Trust. WS-Federation identity providers are most frequently used in web site and web application scenarios, where the WS-Federation passive requester profile is used to facilitate the necessary token redirects to and from ACS using a web browser.

Microsoft Active Directory Federation Services 2.0

A common example of a WS-Federation identity provider is . You can use it to integrate your enterprise Active Directory accounts with ACS. Before you can add and configure as an identity provider in ACS, you must have installed and working with at least one Claims Provider Trust, for example, Active Directory Domain Services (AD DS). For more information, see How to: Configure AD FS 2.0 as an Identity Provider.

Configuring in the ACS Management Portal

When you are using the ACS Management Portal to configure a WS-Federation identity provider, you must enter the following data.

  • Display name—Specifies the display name of your identity provider. This name is used in the ACS Management Portal only.

  • WS-Federation metadata—Contains configuration information (federation metadata) about the established federated services, such as tokens and authorization, and the policies for accessing them. When you add a WS-Federation identity provider in ACS, you must enter the URL of the federation metadata document or upload a local copy of the metadata document for the WS-Federation identity provider.


    Import WS-Federation metadata only from a WS-Federation identity provider that you trust.

    For security reasons, it is strongly recommended that the WS-Federation identity provider publish their federation metadata document at an HTTPS URL. It is also recommended that the WS-Federation identity provider use only HTTPS token-issuance endpoints.

  • Login link text—Specifies the text that is displayed for this identity provider on the login page of your web application. For more information, see Login Pages and Home Realm Discovery.

  • Image URL (optional)—Associates a URL with an image file (for example, a logo of your choice) that you can display as the login link for this identity provider. This logo automatically appears on the default login page for your ACS-aware web application, as well as in your web application’s JSON feed that you can use to render a custom login page. If you do not specify an image URL, then a text login link for this identity provider is displayed on the login page of your web application. If you specify an image URL, it is strongly recommended that it be pointed to a trusted source, for example, your own web site or application, using HTTPS to prevent browser security warnings. Also, any image that is larger than 240 pixels in width and 40 pixels in height is automatically resized on the default ACS home realm discovery page. It is recommended that you obtain permission from your partner to display this image.

  • Email domain names (optional)—To prompt users to login using their email address, you can specify the email domain suffixes hosted by this identity provider. Otherwise, leave this field blank to display a direct login link. Use semicolons to separate the list of suffixes. For more information, see Login Pages and Home Realm Discovery.

  • Relying party applications—Specifies all existing relying party applications that you want to associate with this identity provider. For more information, see Relying Party Applications.

After an identity provider is associated with a relying party application, rules for that identity provider must be generated or added manually in a relying party application’s rule group to complete the configuration. For more information about creating rules, see Rule Groups and Rules.

Supported claim types

After a user authenticates with an identity provider, they receive a token populated with identity claims. Claims are pieces of information about the user, such as an email address or a unique ID. ACS can pass these claims directly through to the relying party application or make authorization decisions based on the values they contain.

By default, claims types in ACS are uniquely identified using a URI for compliance with the SAML token specification. These URIs are also used to identity claims in other token formats.

For WS-Federation identity providers, the available claim types are determined by the WS-Federation metadata for the identity provider that is imported into ACS. Once the import is complete, the claim types available for the identity provider are visible in the Edit Claim Rule page of the ACS Management Portal. These claim types are also visible through the ClaimType entity in the ACS Management Service.

In addition to the claim types available through WS-Federation metadata, ACS always issues the following claims for each WS-Federation identity provider.

Claim Type URI Description

Name Identifier

A unique identifier for the user account, provided by the identity provider.

Identity Provider

A claim provided by ACS that tells the relying party application that the user authenticated using the selected identity provider. The value of this claim is visible in the ACS Management Portal via the Realm field in the Edit Identity Provider page.


WS-Federation identity providers can also issue claim types to ACS that are not explicitly listed in the identity provider’s WS-Federation metadata document. In this case, the expected claim type URI can be entered manually into a rule instead of selected. For more information about rules, see Rule Groups and Rules.

Managing Certificates

The X.509 token signing certificates for a WS-Federation identity provider are listed on the page for the identity provider in the ACS Management Portal. It is important to monitor the certificates and ensure that they are effective and that they are replaced before they expire.

To view the certificates for a WS-Federation identity provider:

  1. In the ACS Management Portal, click Identity providers.

  2. Click the WS-Federation identity provider.

  3. Scroll to the Token Signing Certificates section at the bottom of the page.

For more information about managing certificates for WS-Federation identity providers, see WS-Federation identity provider certificate.

See Also


Identity Providers
Certificates and Keys Management Guidelines