WS-Federation Application

WS-Federation is a popular data format for communicating claims between a claims provider and a Service Provider.

This protocol can be used for both passive federation (browser-based) or active federation (Windows client-based). Typical examples of active clients are Windows applications, Java applications, Windows services, or even clients which are hosted in IIS, but use WCF to ask Identify for security tokens. The difference is that ‘active STS’ does not require you to fill in the fields "passive requestor endpoint" and "sign out reply endpoint".

The configuration settings offered by this Protocol Connection type are:

  • Entity ID:The entityID attribute is the unique identifier of the identity provider.
  • Passive requestor endpoint: Specifies the endpoint of an RP to which Safewhere*Identify sends log in responses.
  • Sign out reply endpoint: Specifies the endpoint of an RP to which Safewhere*Identify sends log out responses.
  • Find value: The value of the attribute that is used to Safewhere*Identify the certificate, e.g. its subject or thumbprint.
  • Find type: Specifies which certificate attribute that will be used to Safewhere*Identify the certificate. A common way to locate a certificate is to search for its subject’s distinguished name or its thumbprint. The authentication connection will use the first certificate that matches the specified search criteria.Possible values are: FindByThumbprint, FindBySubjectName, FindBySubjectDistinguishedName, FindByIssuerName, FindByIssuerDistinguishedName, FindBySerialNumber, FindByTimeValid, FindByTimeNotYetValid, FindByTimeExpired, FindByTemplateName, FindByApplicationPolicy, FindByCertificatePolicy, FindByExtension, FindByKeyUsage, FindBySubjectKeyIdentifier.
  • Get certificates button: Allow users to select a new cert.
  • Store location: The location of the certificate store to use.Possible values are: CurrentUser, LocalMachine.
  • Store name: Specifies which certificate store the certificate is placed in.Possible values are: AddressBook, AuthRoot, CertificateAuthority, Disallowed, My.
  • Use Saml 1.1 token profile: Specifies in case 1 token format is needed.

The below configuration settingsare offered by for OIO IDWS Identify STS:

  • Audience restriction: List of valid entity IDs. The entity IDs are separated by “;”. This audience restriction is set to the issuerthat is used to issue bootstrap token (aka ActAs token).
  • Support OIO WS-TrustProfile: When ticked, the OIO IDWS profile is handled by the connection.
  • Bootstrap token timestamp: it is the timeline in minutes for bootstrap token.Its default value is 60 minutes.
  • Assurance level required: The minimum required assurance level when issuing bootstrap token. Its default value is 0.
  • Assurance level claim type: The claim typeused for storing assurance level issued on bootstrap token.Default is "urn:oasis:names:tc:SAML:attribute:assurance-certification"
  • Bootstrap tooken trusted issuers: The list of valid trusted issuers who issued bootstrap token.
    • Find value: The value of the attribute that identifies the certificate, e.g. its subject or thumbprint.
    • Find type: Specifies which certificate attribute that will be used to identify the certificate. A common way to locate a certificate is to search for its subject’s distinguished name or its thumbprint. The authentication connection will use the first certificate that matches the specified search criteria.Possible values are: FindByThumbprint, FindBySubjectName, FindBySubjectDistinguishedName, FindByIssuerName, FindByIssuerDistinguishedName, FindBySerialNumber, FindByTimeValid, FindByTimeNotYetValid, FindByTimeExpired, FindByTemplateName, FindByApplicationPolicy, FindByCertificatePolicy, FindByExtension, FindByKeyUsage, FindBySubjectKeyIdentifier.
    • Get certificates button: Allow users to select a new cert.
    • Store location: The location of the certificate store to use.Possible values are: CurrentUser and LocalMachine.
    • Store name: Specifies which certificate store the certificate is placed in.Possible values are: AddressBook, AuthRoot, CertificateAuthority, Disallowed, and My.
    • Add/Update/Cancel button:Allowsuser to manage the trusted issuers.

The below configuration setting is offered by for STS issuedtokensymmetricbasic256sha256 endpoint.

  • Received Security Token Encryption certificate: Thecertificate element specifies the encryption certificate used by the issuedtokensymmetricbasic256sha256 protocol.
    • Find value: The value of the attribute that is used to Safewhere*Identify the certificate, e.g. its subject or thumbprint.
    • Find type: Specifies which certificate attribute that will be used to Safewhere*Identify the certificate. A common way to locate a certificate is to search for its subject’s distinguished name or its thumbprint. The authentication connection will use the first certificate that matches the specified search criteria.Possible values are: FindByThumbprint, FindBySubjectName, FindBySubjectDistinguishedName, FindByIssuerName, FindByIssuerDistinguishedName, FindBySerialNumber, FindByTimeValid, FindByTimeNotYetValid, FindByTimeExpired, FindByTemplateName, FindByApplicationPolicy, FindByCertificatePolicy, FindByExtension, FindByKeyUsage, FindBySubjectKeyIdentifier.
    • Get certificates button: Allow users to select a new cert.
    • Store location: The location of the certificate store to use.Possible values are: CurrentUser, LocalMachine.
    • Store name: Specifies which certificate store the certificate is placed in.Possible values are: AddressBook, AuthRoot, CertificateAuthority, Disallowed, My

Metadata status settings (from version 5.5):

Monitor metadata: enable to check the metadata's certificate(s) every x minute(s) where x is set by Metadata monitoring interval (minutes). The check will only be performed when metadata is uploaded from URL. Some events will also be logged if system detects issue in metadata.
  • 5551System - Error when a certificate was expired
  • 5552System - Warning when a certificate is going to expire
  • 5548System - Information when Identify finished checking metadata and found no changes
  • 5549System - Information when Identify finished checking metadata and found new certificate changes
  • 5550System - Information when Identify automatically updated metadata for a connection
Automatically update metadata: check to allow system to automatically update metadata when detecting certificate changed from external system. It requires Monitor metadata is enabled as well.
Metadata monitoring status: status of last check updated by system when is Monitor metadata enabled. Default value is Unspecified.
  • Unspecified: This default status indicates that the job has not been run since the last time the connection is saved manually (aka not by the monitoring job). A connection in this status is displayed in WHITE color.
  • Updated – This status indicates that the connection has been updated with latest metadata by the job successfully, and that all certificates of the connection are updated. The connection is displayed in GREEN color.
  • PendingChanges: This status is applied for WSFederation connection type only. With WSFederation metadata, when a metadata has a primary and a secondary certificates, because Identify only allows to import one primary certificate, we need to mark status as PendingChanges. The connection record is displayed in YELLOW color in this case.
  • Inaccessible: This status is applied when an error occurs when monitoring and updating metadata automatically. It could be that a metadata url is inaccessible or metadata content cannot be parsed and updated to connection. The connection is displayed in RED color.
  • OutOfDate: This status only applied when the Monitor metadata setting is turned on but the Automatically update metadata is turned off, the job monitors metadata and finds out that it has been changed. The connection also is displayed in RED color in this case.