FedUtil - Federation Utility for Establishing Trust from an RP to an STS

[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

FedUtil.exe is provided with Windows® Identity Foundation (WIF). It helps you to establish trust from a relying party (RP) application to security token services (STSes). It provides the following capabilities:

  • Register an existing production STS as a trusted issuer of the RP application.

  • Help develop a claims-aware application by offering a local STS.

  • Make an existing application claims-aware.

  • Update federation metadata for an RP application.

  • Schedule automatic updates of the federation metadata for an RP application.

The topics in this section show you how to do each of these tasks using FedUtil. You can also do them manually by making the same changes to your RP application’s web.config file that FedUtil makes. The topics in this section explain these changes in detail.


FedUtil uses the WSFederationHttpBinding from WCF when it enables WIF on a WCF service. The WSFederationHttpBinding does not support Web farm scenarios (for more information, see How to: Disable Secure Sessions on a WSFederationHttpBinding). Therefore, if you use FedUtil to enable WIF on a WCF service, you should programmatically use one of WIF’s built-in bindings. For more information, see Built-in Bindings Overview.