WS-Federation Account Provider
The Identity Hub supports all identity providers that support WS-Federation protocol. To allow users to sign in with your WS-Federation enabled identity provider:
- Set up and configure a Relying Party on the identity provider
- Activate a WS-Federation Account Provider (see Activate an Account Provider)
- Set the configuration parameters on the WS-Federation Account Provider
Configure a WS-Federation Account Provider
To configure a WS-Federation Account Provider you have two options:
- Supply the metadata of the identity provider via a URL or file.
- Configure the parameters manually.
Supply the metadata of the identity provider via a URL or file.
- In Federation Metadata URL type the URL where the metadata of the identity provider is available or select a file in Federation Metadata file.
- Provide a Name.
- Provide a unique value for Realm to identify the WS-Federation Account Provider on the identity provider.
- Click Save.
For more information on other configuration parameters see (see Specific configuration parameters for the WS-Federation Account Provider)
Configure the parameters manually.
For more information on the configuration parameters see (see Specific configuration parameters for the WS-Federation Account Provider)
Configure a Relying Party on the identity provider
Specific configuration steps depend on the type of WS-Federation identity provider. After activation of the WS-Federation Account Provider the identity provider can use the metadata (Metadata document parameter of the General tab) to configure the Relying Party.
Specific configuration parameters for the WS-Federation Account Provider
The following parameters are required as a minimum:
- The Name, Realm and Issuer URL on the General tab.
For more information on the parameters see the WS-Federation specification
General
| Parameter | Description |
|---|---|
| Federation Metadata URL | The URL of the metadata of the WS-Federation Identity Provider. If provided this URL will be queried for configuration during WS-Federation Account Provider activation and also each time the WS-Federation Account Provider is edited. |
| Federation Metadata File | The file with the metadata of the WS-Federation Identity Provider. If provided will be used to configure the WS-Federation Account Provider. |
| Metadata document | The URL to the metadata file of the WS-Federation Account Provider. |
| Realm | Unique value for the WS-Federation Account Provider. |
| Issuer URL | The sign in URL endpoint on the WS-Federation identity provider. |
| Reply URL's | This is always https://www.theidentityhub.com/{tenant}/authenticate/processaccountproviderresponse |
Certificates
| Parameter | Description |
|---|---|
| Token Encryption Certificate | The certificate used by The Identity Hub to decrypt tokens received from the identity provider. |
| Token Signing Certificate | The certificate used by the identity provider to sign the tokens. |
Claim Mappings
By default no incoming claims are mapped except
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier claim
To map all incoming claims (even those not specified in the claim mappings) uncheck Remove all incoming claims that are not mapped.
See the Claim Mappings page for a more detailed explanation.
Advanced
| Parameter | Description |
|---|---|
| Max-Age | See Account Providers Max-Age |
Related
Amazon Account Provider
Activate an Account Provider
Built-in Username and Password Account Provider
Custom Account Providers
Facebook Account Provider
GitHub Account Provider
Google Account Provider
Instagram Account Provider
LinkedIn Account Provider
Microsoft Account Provider
myID.be Account Provider
Office 365 Account Provider
OpenID Connect Account Provider
PayPal Account Provider
SAML-P Account Provider
StackExchange Account Provider
Twitter Account Provider