Microsoft Federation Gateway

February 2008 (Last updated: November 2008)

The Microsoft® Federation Gateway is a new identity service that runs in the cloud—that is, over the Internet and beyond your corporate network domain. This gateway service sits between an organization or business like yours and the services that the organization wants to use. The gateway acts as a hub for all the connections the organization wants to make, whether to a developer application built on Windows® Azure™ or to a Microsoft application running in the cloud. This gateway is valuable because it is a hub for connecting users and other identities to the services that it works with, so that an organization has to manage only a single identity-federation relationship to enable its identities to access any and all Microsoft and Microsoft-based services that they want to use.

This document describes how an organization can establish and administer a federated relationship to adopt Microsoft cloud services or applications built on Windows Azure, by means of the Microsoft Federation Gateway.

Section 1 is an overview and contains the following:

• Definitions of terms and concepts involved in identity federation
  
• High-level information useful to technical decision-makers who are considering the value of offering Microsoft services to their users and the benefits such an offering would bring to their organization
  
• Descriptions of the typical interactions between the parties involved in a federated relationship
  

Section 2 provides the technical details necessary for establishing a federated relationship with the Microsoft Federation Gateway and authenticating users through it.

Section 3 discusses additional identity-management operations and how they can be accomplished by means of authentication tokens.

Finally, an Appendix provides a sample authentication token and a list of references for further information about identity federation.

 Section 1—Overview

A federated identity relationship is a standards-based arrangement between organizations in which user claims from one organization are passed to and recognized by another. Users can therefore sign in to (and be authenticated by) their identity provider—the organization that manages their identity account—and then have their authentication information passed to a federated partner as needed without being required to sign in again. (A federated partner that recognizes the identity provider’s users and grants them access to its resources is called a resource provider.)

What is Federation?

Federation is a trust-based agreement between two organizations with some common purpose, such that both want authentication assertions from one organization to be recognized by the other.

As mentioned earlier, federation involves two parties:

• The identity provider authenticates users’ identity accounts so that those users can access resources in third-party networks.
  
• The resource provider permits identities authenticated by an identity provider to access resources in its network.
  

By establishing identity federation, an organization provides its users with access to resources not only on their own network, but also on the network of a federated partner such as a Microsoft service or an application built on Windows Azure. The organization (for example, an Internet service provider (ISP), university, telephone company, or other enterprise) can thus still control and manage its own user accounts while making a greater number of services available to its users.

The Microsoft Federation Gateway builds on the Web service (WS-*) specifications such as WS-Trust and WS-Security. These specifications work together to provide customizable security that leads to simpler design for interoperability, improved security, and simplified testing. By using these industry-standard protocols, two organizations can establish a federated-identity relationship without requiring both to use identical hardware platforms or software infrastructure.

For more information about the WS-Federation specification, see Understanding WS-Federation in the MSDN® library (http://msdn2.microsoft.com/en-us/library/bb498017.aspx). For more information about the WS-* specifications, see "References" at the end of this document.

Figure 1 shows the trust boundaries in a typical federation relationship.

Figure 1   Identity federation between trusted partners

Policies govern the details of how authentication and authorization occur. For example, a Microsoft service might have a policy that requires Secure Sockets Layer (SSL), a specific time window allowed for authentication, or a specific authentication method (such as biometric identification).

Benefits of Federation

Users benefit from a single sign-on (SSO) experience because they enter credentials only once to access resources offered both by their identity provider’s network (for example, account-management services) and by Microsoft or third-party services.

Organizations benefit by offering services of value to their users, without having to build or manage those services themselves.

A major benefit of federation is the ease with which identities can be created and maintained. Microsoft Federation Gateway identities are created and updated automatically by means of industry-standard tokens sent from the identity provider to the gateway service. Thanks to the design of the trust relationship, the identity provider does not have to do any work to set up, maintain, or delete Microsoft Federation Gateway identities for its users. The gateway automatically creates a mapping between the federated identity and a new Microsoft Federation Gateway identity when the user first accesses a service that requires authentication.

Users who discontinue their account with the federated identity provider can no longer sign in with that provider, and so also can no longer access services by using their federated identity because no authentication token will be sent to the Microsoft Federation Gateway.

Federation Architecture

In an identity federation arrangement between two organizations, one partner (the identity provider) controls its own users’ accounts while the other partner (the resource provider) grants access to its resources in reliance on the authentication performed by the identity provider.

In this context, a user’s identity is defined by a set of claims. A claim is a statement that a server makes about a client user—for example, name, identity, key, group, permission, or capability. So the common purpose of identity federation is the sharing of identity claims.

With the Microsoft Federation Gateway, authentication data from the identity provider (the partner that manages the user account) is transformed into a standard format called Security Assertion Markup Language (SAML), transmitted as described in the WS-* specifications, and then transformed by the Microsoft Federation Gateway service into a service token. SAML is an open-standard XML format that is used to communicate authentication information across security domains.

Figure 2 shows the general flow of claims information between trusted partners that form a federation of identities. The Microsoft Federation Gateway receives the claims and transforms the information in them into a format that is usable by Microsoft services.

Figure 2   Federation of identities between partners

This claims transformation causes information that is in the federated partner's format to be changed into standard SAML 1.1 format (outgoing claim transform), which the Microsoft Federation Gateway receives and transforms (incoming claim transform) into the format that it sends to Microsoft services. The claims that must be included in the SAML token are described in "Using Tokens for Federated Identity Maintenance" later in this document.

Microsoft Federation Gateway

The Microsoft Federation Gateway enables a standards-based relationship between the gateway service and trusted third-party partners.

The purpose of establishing this cooperative relationship is to share a user’s digital identity across the Internet. This sharing of authentication information can provide (among other benefits) a streamlined single sign-on experience for the user both on the Web and with smart-client applications.

Figure 3 shows the sequence of actions that occur after a user whose account is managed by a federated partner requests access to a Microsoft service.

Figure 3   Flow of user authentication information

The following numbered steps explain the corresponding actions shown in Figure 3:

1. The user sends credentials to his or her identity provider (IP). A user provides his or her user name and password to the federated partner (the partner that owns the user account). The federated partner’s security token service (STS) generates an IP token and returns it to the user. The purpose of an IP/STS is to issue security tokens.
   
2. The IP token is sent to the Microsoft Federation Gateway. The gateway STS converts the token received from the federated partner into a service token, based on information about the user in the IP token.
   The token that is sent to the Microsoft Federation Gateway contains a unique, immutable identifier for the user (used for mapping that user to his or her Microsoft services data and settings)—for example, UniqueImmutableID@contoso.com. The token also includes a friendly identifier, in the form of an e-mail address, that Microsoft services use for that user—for example, “someone@contoso.com”. The Microsoft Federation Gateway uses the unique identifier in the token to determine whether the user is new or has previously accessed Microsoft services.
   On the user’s first visit, the gateway service maps the federated user account to a Microsoft Federation Gateway unique identifier. Microsoft and third-party services across the network will then use this identifier when storing and retaining personalized content (such as buddy lists and preferences) so that the content can be accessed by the user on subsequent sign-in sessions.
   

   Note:
   In addition to mapping federated users to their personalized content, information that is sent to the Microsoft Federation Gateway service in the token is also used for keeping information about the identity current—functions such as changing the user name, account conversion, and profile updates. These scenarios are described in Section 2.

3. The converted token is sent to the Microsoft service. After the Microsoft Federation Gateway converts the federated user’s IP token into a token that Microsoft services expect, the token is then sent to the service that the user originally wanted to access.
   

For a federated sign-in, as shown in Figure 3, the federated partner issues a token representing the authenticated user to the service.

Data Flows

The data flows for Web-based sign-in and smart-client sign-in are discussed next. Other actions, such as changing user names, converting accounts, updating profile information, and sign-out, are described in Section 2 of this document.

Web Browser Sign-in Data Flow

A Web-based sign-in is the main point of communication for many federated-identity scenarios between partner organizations. In Figure 4, the federated partner is the identity provider (IP).

Figure 4   Web sign-in data flow

The following numbered steps explain the corresponding actions shown in Figure 4:

1. The browser tries to access a service that requires authentication, such as Microsoft Dynamics® CRM Online.
   
2. The service redirects the browser to its own identity provider, which is always the Microsoft Federation Gateway.
   
3. The Microsoft Federation Gateway determines which partner owns the user account. This determination is called realm discovery.
   
4. If the user is a federated user, as in this example, the Microsoft Federation Gateway sends the user to the identity provider (the federated partner). (This message is formatted according to the WS-Federation Passive Requestor Profile specification.)
   
5. The federated partner displays a user interface (UI) that requests authentication data from the user (typically a user name and password).
   
6. The user signs in by providing a user name and password.
   
7. The federated partner returns the authentication token to the Microsoft Federation Gateway service by redirecting the user's browser and automatically posting the token. (This message is formatted according to the WS-Federation Passive Requestor Profile specification.)
   
8. The Microsoft Federation Gateway returns an authentication token for the requested Microsoft service to the user's browser, which then submits that token to the service.
   
9. The service that was originally requested in step 1 returns the requested result to the user's browser. In this example, CRM Online returns the CRM information.
   

Not all steps in this list may be required if a user has already been authenticated. In that case, after the user accesses a Microsoft service (step 1), that service returns personalized content for that user (step 9) without requiring the intermediate steps to authenticate the user.

Note:
Figure 11 (later in this document) represents the sequence of messages sent and received in Figure 4.

Smart-client Sign-in Data Flow

Client applications that run locally on a PC or mobile device can also send users to their federated identity provider for authentication, but they do so in a way that is different from browser-based Web applications (where the browser is silently redirected to the user’s IP so the user can sign in). We use Windows Live™ Messenger in this example, but the smart client can be another Windows application or mobile device application.

Note:
The flow of information shown in Figure 5 is an example only; support for federation in Windows Live Messenger is still in development.

Figure 5   Smart-client sign-in data flow

User Experience

Next we describe the federated sign-in experience for a user who accesses a Microsoft service by means of either a Web browser or a smart-client application.

The experience differs depending on whether the user has already been authenticated, in which case the user may not be required to sign in again. For example, if a federated partner is using Active Directory® Federation Services (AD FS) as its authentication service, its users are authenticated when they sign into its network and are not prompted again for credentials for a configurable period of time (for example, eight hours).

Web Browser Sign-in

When a user accesses a protected resource by using a browser, he or she may be redirected to a typical Windows Live ID sign-in screen like the one shown in Figure 6.

Figure 6   Web sign-in screen

To sign in, a user can choose to type in a Windows Live ID user name and password. However, if the user enters a federated user name—an e-mail address that belongs to a federated partner's domain—the user sees a message as shown in Figure 7.

Figure 7   Web sign-in with federated partner account

Federated users are thus invited to click Go there, after which the Microsoft Federation Gateway forwards them to the federated partner’s sign-in page where they enter their e-mail address and password information.

Smart Client Sign-in

When users access a Microsoft service from a smart-client application or mobile device (software other than a browser), they do not experience redirects as they do during a browser-based sign-in.

Figures 8, 9, and 10 show the sequence of screens that users see when signing in by using a federated partner identity. The exact user experience depends on how the application is designed. The following screens represent a generalized sign-in experience on smart-client applications.

A federated user uses the sign-in screen to sign in with a smart client as shown in Figure 9.

Figure 8   Smart client sign-in

Figure 9   Credential selection in the client

Figure 10   Client sign-in by using Partner ID

 Section 2—Integrating with the Microsoft Federation Gateway

This section contains information for administrators and developers about setting up and implementing a federated-identity trust relationship with the Microsoft Federation Gateway service. In this relationship, the federated partner is the identity provider and the Microsoft Federation Gateway is the resource provider.

Note:
This section and Section 3 cover implementation of various user scenarios in detail. To get started with federation more quickly and see how to implement Web-based sign-in only, see Quick Start for the Microsoft Federation Gateway.

The following basic steps must be completed. Each step is explained in more detail later in this document.

• Step 1—Establish trust. Set up and administer a federated-identity trust relationship.
  
• Step 2—Authenticate users. Exchange authentication claims to sign users in and out. The following authentication functions are addressed.
  

  Authentication function	Partner's steps to implement
  Browser-based sign-in support (WS-Federation: Passive Profile)	Build a Web server to handle sign-in requests (HTTP GET) from the Microsoft Federation Gateway service. Authenticate the user. Send an authentication token back to the Microsoft Federation Gateway.
  Browser-based sign-out support (WS-Federation: Passive Profile)	User signs out at the Microsoft Federation Gateway Build a Web server that handles sign-out requests (HTTP GET) from the Microsoft Federation Gateway service. Delete any relevant cookies from the user’s computer or Web browser. Send a sign-out request to the Microsoft Federation Gateway. User signs out at the federated partner's site Delete any relevant cookies from the user’s computer or Web browser. Send a sign-out request to the Microsoft Federation Gateway.
  Smart-client sign-in support (WS-Federation: Active Profile)	Build a security token service (STS) that handles sign-in requests (RequestSecurityToken messages) from the Microsoft Federation Gateway service. Authenticate the user. Send an authentication token (RequestSecurityTokenResponse) to the Microsoft Federation Gateway.
  Smart-client sign-out support (WS-Federation: Active Profile)	No implementation is required to support smart-client sign-out

Step 1—Establish Trust

To establish trust between a federated partner and the Microsoft Federation Gateway, the two parties must exchange information.

Information That Partners Provide to the Microsoft Federation Gateway

The following information is required from the federated partner to establish the trust relationship.

Item	Description
DOMAIN_NAME	The Domain Name System (DNS) name of the domain (for example, Contoso.com).
WEB_SIGNIN_URL	The URL of the Web sign-in page (for example, http://contoso.com/signin.aspx). When a user in the domain accesses a Microsoft Federation Gateway-protected resource on the Web (for example, spaces.live.com), an authentication request (using WS-Federation: Passive Requestor Profile protocol) is sent to this URL. The requirements for the sign-in page are described in the WS-Federation: Passive Requestor Profile specification. The relevant details of the specification are discussed later in this document.
SMARTCLIENT_LOGIN_URL	The URL of the security token service (STS) (for example, http://contoso.com/stsauth.svc) for smart-client sign-ins. When a user in the domain accesses a Microsoft Federation Gateway-protected resource in a smart client (for example, Windows Live Messenger), an authentication request (using WS-Trust protocol) is sent to this URL. The requirements for the STS are described in the Web Services Trust Language (WS-Trust) specification under RequestSecurityToken. The relevant details are discussed later in this document.
WEB_SIGNOUT_URL	The URL of the Web sign-out page (for example, http://contoso.com/signout.aspx). When a user in the domain signs out from a Microsoft Federation Gateway-protected resource on the Web (for example, spaces.live.com), a sign-out request is sent to this URL. The requirements for this sign-out page are described in the WS-Federation: Passive Requestor Profile specification. The relevant details of the specification are discussed later in this document.
PARTNER_IDENTIFIER	The federated partner’s identifier URI. It can be a locator (URL) or a name (URN) (for example, urn:Contoso.com). The Issuer field in Security Assertion Markup Language (SAML) authentication tokens should be populated with this value. It is used by the Microsoft Federation Gateway to determine the partner that sent the token.
TOKEN_SIGNING_CERTIFICATE	The self-signed X.509 certificate that is used to sign SAML authentication tokens. The Microsoft Federation Gateway uses this certificate to ensure the authenticity of the SAML authentication token. There are various tools that aid in the creation of self-signed x.509 certificates. Examples include MakeCert (.NET Framework SDK tools), OpenSSL (Open Source), and others. The following is an example of the use of MakeCert: makecert –r –pe –n “CN=Token Signing Certificate” –sky exchange –ss my This command creates a self-signed certificate in the current user’s personal store. It can be exported by means of the Microsoft Management Console (MMC) Certificates snap-in (certmgr.msc) to a base64-encoded certificate (.cer) file.
PARTNER_FRIENDLY_NAME	The partner name (for example, “Contoso”) that is used on Windows Live user-interface (UI) pages such as the sign-in realm-discovery page.
HONOR_SAML_NOTAFTER	Indicates (true or false) whether the NotOnOrAfter tag in the SAML authentication token should be honored. If true, the Microsoft Federation Gateway sets the authentication state to reauthenticate after the specified time in the NotOnOrAfter tag. (Note that the Microsoft Federation Gateway will not successfully accept SAML authentication tokens received after the NotOnOrAfter time regardless of this setting.)
NEXT_CERTIFICATE	Optional. A self-signed X.509 certificate that can be used to sign SAML authentication tokens. If the authenticity check of the request fails with the x.509 token-signing certificate, The Microsoft Federation Gateway uses this certificate to confirm the authenticity of the request. Details for creating an x.509 certificate are outlined earlier in this table (see TOKEN_SIGNING_CERTIFICATE).
METADATA_URL	Optional. The URL of your metadata document.

Information That the Microsoft Federation Gateway Provides to Federated Partners

The Microsoft Federation Gateway information that is required by federated partners is hosted in a WS-Federation metadata document. This document conforms to section 3 of the WS-Federation specification. (There is a corresponding metadata document for the test environment.)

Note:
The federated partner must download the metadata document programmatically over a Secure Sockets Layer (SSL) connection. Certificate checking must be enabled. The document should be cached locally and must be refreshed periodically; the recommended poll time is 24 hours.

The following table provides details about the information in the metadata document.

Element	Description
IssuerNamesOffered	The Microsoft Federation Gateway identifier (URI). Web requests that come from the Microsoft Federation Gateway service will have this URI in the query string. The requests sent to the federated partner's security token service (STS) for authentication to the Microsoft Federation Gateway will have this URI in the request.
PassiveRequestorEndpoints	The URL of the Microsoft Federation Gateway Web sign-in page and Microsoft Federation Gateway Web sign-out page (for example, http://login.live.com/login.srf ). The federated partner will send Web sign-in SAML authentication tokens (in response to the authentication request from the Microsoft Federation Gateway) to the gateway at this URL. The federated partner will send Web sign-out requests to the gateway at this URL.
TokenIssuerEndpoints	The Microsoft Federation Gateway endpoint (Microsoft Federation Gateway STS) that will be included in the request (RST) for an authentication token in the smart-client scenario.

Establishing the Trust Relationship

Trust can be established in one of the following ways.

Method	Description
Microsoft Federation Gateway Trust Provisioning	You access a SOAP interface of the Microsoft Federation Gateway service to instantly set up and administer a trust relationship. Trust is established in Microsoft's test environment. An X.509 SSL certificate is required.
Microsoft Contact	You contact Microsoft by e-mail to set up and administer a trust relationship. Trust is established in Microsoft's production environment.

Microsoft Federation Gateway Trust Provisioning

You can use Microsoft Federation Gateway Trust Provisioning to instantly set up and administer a trust relationship. (This approach requires a X.509 SSL certificate.)

Note:
Trust will be established in the Microsoft test environment only. To establish trust in the production environment, please pursue the "Microsoft Contact" process detailed later in this document.

This approach involves the following three steps:

1. Obtain a domain proof certificate.
   
2. Construct the Trust Provisioning SOAP message.
   
3. Send the Trust Provisioning SOAP message.
   

1. Obtain a Domain Proof Certificate
   To prove your ownership of the domain that you wish to federate with the Microsoft Federation Gateway, you must own the X.509 SSL certificate for that domain from one of the trusted root certificate authorities (CAs) that are configured in the Microsoft Federation Gateway. The following table lists those CAs.
   
   

   CA certificate friendly name	Issued to	Intended purposes
   Entrust	Entrust.net Secure Server Certification Authority	Server authentication, client authentication, code signing, secure e-mail, IP security tunnel termination, IP Security user, IP Security Internet Key Exchange (IKE) intermediate, time stamping, file-system encryption
   Go Daddy Class 2 Certification Authority	Go Daddy Class 2 Certification Authority	Server authentication, client authentication, secure e-mail, code signing
   Network Solutions	Network Solutions Certificate Authority	Server authentication, client authentication, secure e-mail, code signing, time stamping
   VeriSign Class 3 Public Primary CA	Class 3 Public Primary Certification Authority	Secure e-mail, client authentication, code signing, server authentication
   VeriSign	Class 3 Public Primary Certification Authority	Secure e-mail, client authentication, code signing, server authentication
   VeriSign	VeriSign Trust Network	Secure e-mail, client authentication, code signing, server authentication
   VeriSign	VeriSign Class 3 Public Primary Certification Authority - G5	Server authentication, client authentication, secure e-mail, code signing

   
   If you already have an SSL certificate for your company’s Web site, it is likely that it can be used to prove your ownership of that domain.
   The certificate will be used for creating a mutual SSL authentication connection, so it must be usable for client authentication in addition to any other intended uses.
   The certificate must be installed in the certificate store for the environment that will be used to send the Trust Provisioning message to the Microsoft Federation Gateway to create the federation. The particular mechanism for installing the certificate varies depending on the programming language and operating system you use. For example, for Microsoft .NET-based languages on the Windows® operating system, the certificate is typically installed by using the MMC Certificates snap-in (certmgr.msc).
   
   
2. Construct the Trust Provisioning SOAP Message
   Following is the format of the SOAP message used to establish federated trust with the Microsoft Federation Gateway. (Information placeholders appear in bold type; for descriptions of the data they represent, see the table in "Information That Partners Provide to the Microsoft Federation Gateway" earlier in this document.)
   
   <s:Envelope 
       xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
       xmlns:wsa="http://www.w3.org/2005/08/addressing"
       xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
       xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
       xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
       xmlns:mex="http://schemas.xmlsoap.org/ws/2004/09/mex">
       xmlns:fed="http://schemas.xmlsoap.org/ws/2006/12/federation" 
       xmlns:auth=”http://schemas.xmlsoap.org/ws/2006/12/authorization”
       xmlns:fmp="http://schemas.microsoft.com/ws/2008/03/federation" 
       xmlns:fm="http://schemas.microsoft.com/Passport/Namespace/FederationManagement"
   >  
   <s:Header>
     <wsa:Action>
       http://schemas.microsoft.com/ws/2008/03/federation/InitiateFederationRequest
     </wsa:Action>
     <wsa:To>uri:WindowsLiveID</wsa:To>
   </s:Header>
   <s:Body>
     <fmp:InitiateFederationRequest 
       senderRole=”http://schemas.microsoft.com/ws/2008/03/federation/role/TokenIssuer” >
   
       <mex:Metadata>
         <mex:MetadataSection 
               Dialect=”http://docs.oasis-open.org/wsfed/federation/200706”>
           <fed:FederationMetadata RealmName=”[[PARTNER_IDENTIFIER]]”>
             <fed:Federation> 
               <fed:TokenSigningKeyInfo> 
                 <wsse:SecurityTokenReference> 
                   <ds:X509Data> 
                     <ds:X509Certificate>[[TOKEN_SIGNING_CERTIFICATE]]</ds:X509Certificate> 
                   </ds:X509Data>
                 </wsse:SecurityTokenReference> 
               </fed:TokenSigningKeyInfo> 
               <fed:IssuerNamesOffered>
                 <fed:IssuerName uri=”[[PARTNER_IDENTIFIER]]” />
               </fed:IssuerNamesOffered> 
               <fed:TokenIssuerEndpoints>
                 <wsa:EndpointReference>
                   <wsa:Address>[[SMARTCLIENT_LOGIN_URL]]</wsa:Address> 
                 </wsa:EndpointReference>
               </fed:TokenIssuerEndpoints>
               <fed:PassiveRequestorEndpoints>
                 <wsa:EndpointReference>
                   <wsa:Address>[[WEB_SIGNIN_URL]]</wsa:Address> 
                 </wsa:EndpointReference>
               </fed:PassiveRequestorEndpoints>
               <fed:TokenTypesOffered>
                 <fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0" /> 
               </fed:TokenTypesOffered>
               <fed:ClaimTypesOffered>
                 <fed:ClaimType
                  Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" >
                   <fed:DisplayName>UPN</fed:DisplayName> 
                 </fed:ClaimType>
                 <fed:ClaimType Uri="http://schemas.xmlsoap.org/claims/EmailAddress">
                   <fed:DisplayName>Email Address</fed:DisplayName> 
                 </fed:ClaimType>
               </fed:ClaimTypesOffered>
             <fed:TokenIssuerMetadata>
                 <mex:Metadata>
                   <mex:MetadataSection Dialect="http://schemas.xmlsoap.org/ws/2004/09/mex">
                     <wsx:MetadataReference>
                       <wsa:Address>[[METADATA_URL]]</wsa:Address> 
                     </wsx:MetadataReference>   
                   </mex:MetadataSection>
                 </mex:Metadata>
               </fed:TokenIssuerMetadata>
             </fed:Federation> 
           </fed:FederationMetadata>
         </mex:MetadataSection>
         <mex:MetadataSection 
             Dialect=”http://schemas.microsoft.com/Passport/Namespace/FederationManagement” >
           <fm:LiveIDConfig>
             <fm:DisplayName>[[PARTNER_FRIENDLY_NAME]]</fm:DisplayName>
           </fm:LiveIDConfig>
         </mex:MetadataSection>
       </mex:Metadata>
     </fmp:InitiateFederationRequest>
   </s:Body>
   </s:Envelope>

   
   
3. Send the Trust Provisioning SOAP Message
   Finally, you send the SOAP message constructed in the previous step to the Microsoft Federation Gateway Trust Provisioning endpoint by using a mutual SSL authentication connection.
   The domain proof certificate must be configured as the client certificate for that SSL connection. The mechanism for configuring the certificate will vary depending on the programming language and operating system you use.
   The address of the Microsoft Federation Gateway Trust Provisioning endpoint is found in one of the following XML elements in the Microsoft Federation Gateway metadata document discussed earlier. (Which element you find depends on which metadata document you obtained.)
   
   /fed:FederationMetadata/fed:Federation/fed:FederationMetadataPutEPR/wsa:Address 
   /fed:FederationMetadata/fed:Federation/fmp:FederationManagementEndpoints/wsa:EndpointReference/wsa:Address

   If the trust-provisioning request is successful, you will receive an InitiateFederationResponse confirmation message similar to the following example.
   
   
   <s:Envelope 
       xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
       xmlns:wsa="http://www.w3.org/2005/08/addressing"
       xmlns:fmp="http://schemas.microsoft.com/ws/2008/03/federation" 
   >  
   <s:Header>
     <Timestamp Id="TS" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
       <Created>2008-05-11T07:09:35Z</Created>
       <Expires>2008-05-11T07:14:35Z</Expires>
     </Timestamp>
     <wsa:Action>
       http://schemas.microsoft.com/ws/2008/03/federation/InitiateFederationResponse
     </wsa:Action>
     <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
   </s:Header>
   <s:Body>
   <fmp:InitiateFederationResponse 
   RequestStatus=”http://schemas.microsoft.com/ws/2008/03/federation/requeststatus/FederationInitiated”
   ProviderRole=”http://schemas.xmlsoap.orgmicrosoft.com/ws/2008/03/federation/role/TokenIssuer” 
   />
   </s:Body>

Microsoft Contact

Please contact Microsoft at wlidextr@microsoft.com and provide the information detailed previously in "Information That Partners Provide to the Microsoft Federation Gateway." You will be required to agree to the Terms of Service that apply to the Microsoft Federation Gateway.

Proof of domain ownership will be required. After the receiving your e-mail message, Microsoft will be inform you of the process to confirm domain ownership. As an example, Microsoft may request that a file with some particular (random) text be uploaded to the domain (for example, http://contoso.com/myproof.txt).

Step 2—Authenticate Users

After the trust relationship has been established, it is time to implement user authentication. This section discusses the details of Web-based and smart-client authentication of users to Microsoft services.

Note:

The Microsoft Federation Gateway uses the WS-Federation: Passive Requestor Profile specification for Web sign-in and sign-out, and uses extensions to the Web Services Trust Language (WS-Trust) specification for smart-client sign-in. It also uses WS-* specifications on which the first two depend, such as WS-Security, WS-SecureConversation, and WS-Policy. The relevant details are discussed in this document. For more information about the WS-* specifications that relate to the Microsoft Federation Gateway, see the "References" section at the end of this document.

Web Browser Sign-in

Figure 11 shows the sequence of messages sent between parties during Web browser-based sign-in. In this example, a federated user accesses a Microsoft service.

Figure 11 Web sign-in message sequence

The following steps explain the sequence of events in Figure 11:

1. A user tries to access a resource that requires authentication—a Microsoft service such as CRM Online.
   
2. The resource redirects the browser to its identity provider, which is always the Microsoft Federation Gateway service.
   
3. The browser requests a sign-in token from the Microsoft Federation Gateway.
   3.1 The Microsoft Federation Gateway determines which partner owns the user account—that is, whether the user is a federated user or a Microsoft Federation Gateway user. This process is called realm discovery.
   
4. If the user is a federated user, as in this example, the Microsoft Federation Gateway sends the user back to his or her identity provider (the federated partner).
   
5. The browser goes to the federated partner’s security token service (STS) at the Web sign-in URL mentioned earlier, in the section titled, "Information That Partners Provide to the Microsoft Federation Gateway." Again, in this example, the user's account is managed by the federated partner.
   
   HTTP Message Format
   
   GET [[Partner_WebLoginURL]]?wa=wsignin1.0&wtrealm=uri:WindowsLiveID&wctx=[[WLID_Custom_Value]] HTTP/1.1

   
   Values for HTTP Message
   

   Value	Description
   Partner_WebLoginURL	Same URL as WEB_SIGNIN_URL, provided to the Microsoft Federation Gateway in the section titled, "Information That Partners Provide to the Microsoft Federation Gateway."

   
   Query-string Parameter Semantics
   

   Parameter	Description
   wa=wsignin1.0	Indicates that the request is for sign-in.
   wtrealm=uri:WindowsLiveID	Indicates that the token is requested by the Microsoft Federation Gateway. This URI is the same as the IssuerNamesOffered in the Microsoft Federation Gateway metadata document (described previously in the section titled, ‘Information That the Microsoft Federation Gateway Provides to Federated Partners").
   Wctx	This value must be returned with the authentication token that is issued in step 6. Typically the wctx parameter contains information relevant to the resource that the user is trying to access (for example, a site-specific identifier such as "id=2000").

   
   5.1 The federated partner authenticates the user. The partner could present a user interface (UI) to collect authentication credentials from the user (for example, user name and password) or skip the UI if the user is already authenticated at the federated partner.
   
6. The federated partner returns the authentication token to the user's browser and redirects to the Microsoft Federation Gateway Web sign-in URL.
   
   HTTP Message Format
   
   HTTP/1.1 200 OK ... 
   <html xmlns="https://www.w3.org/1999/xhtml"> <head> <title>Working...</title> </head> <body> <form method="post" action="[[WLID_WebLoginURL]]"> 
   <p> <input type="hidden" name="wa" value="wsignin1.0" /> <input type="hidden" name="wctx" value="[[RESOURCE]]" /> <input type="hidden" name="wresult" value="[[AUTH_Token]]" /> 
   <button type="submit">POST</button> <!-- included for requestors that do not support javascript --> </p> </form> <script type="text/javascript"> setTimeout('document.forms[0].submit()', 0); </script> </body> </html>

   
   Values for HTTP Message
   

   Value	Description
   WLID_WebLoginURL	The PassiveRequestorEndpoints value retrieved from the Microsoft Federation Gateway metadata document (discussed previously in the section titled, ‘Information That the Microsoft Federation Gateway Provides to Federated Partners").
   RESOURCE	Value included in the wctx query string parameter in the sign-in request (step 5 in this procedure).
   AUTH_Token	The SAML 1.1 token representing that the user is authenticated at the partner. The token template and placeholder values are detailed in the Appendix at the end of the document.

7. The browser posts the token received from the federated partner's IP/STS to the Web sign-in URL of the Microsoft Federation Gateway service.
   
8. The Microsoft Federation Gateway returns an authentication token for the requested Microsoft service (in this case, CRM Online) to the user's browser.
   
9. The user’s browser sends the authentication token to the requested Microsoft service (again, CRM Online).
   
10. The service that was originally requested in step 1 returns the requested result to the user's browser. In this example, CRM Online returns the user's CRM information to the user’s browser.
    

The arrows on the right side of Figure 11 indicate action pairs (for example, requesting access to a space and receiving access to the space). Thus some of the intervening steps can be skipped in certain scenarios—for example, if the user is already authenticated.

Note:
Users may be interrupted for "Terms Of Use" acceptance the first time they visit a service that requires it. Partners who want to suppress this interruption should contact Microsoft at wlidextr@microsoft.com.

Web Browser Sign-out

There are two browser-based sign-out scenarios:

• The user signs out at the Microsoft Federation Gateway service
  
• The user signs out at the federated partner’s site
  

User Signs Out at the Microsoft Federation Gateway Service

A Web-browser sign-out involves 1) deleting any browser cookies that contain authentication information from the user’s computer, and 2) sending a sign-out request to the Microsoft Federation Gateway so that the user can be signed out from all the Microsoft services to which he or she was signed in. Optionally, the federated partner can request that the user be redirected to a specific URL.

In the following example, a user clicks Sign out on the Microsoft service page.

Figure 12 Web sign-out message sequence

The following steps explain the sequence of events in Figure 12:

1. The user clicks Sign out on a Microsoft service page.
   
2. Spaces redirects to its IP/STS, which is the Microsoft Federation Gateway service.
   
3. The Microsoft Federation Gateway performs some initial cleanup.
   
4. The Microsoft Federation Gateway redirects to the sign-out routine on the federated partner’s IP/STS.
   
   HTTP Message Format
   
   GET [[Partner_WebLogoutURL]]?wa=wsignout1.0&wreply=[[ReturnURL]]&lc=[[LC_Code]] HTTP/1.1

   
   Values for HTTP Message
   

   Value	Description
   Partner_WebLogoutURL	Same URL as WEB_SIGNOUT_URL, provided to the Microsoft Federation Gateway in the section titled, "Information That Partners Provide to the Microsoft Federation Gateway."
   ReturnURL	The URL to which to return after sign-out.

   
   Query-string Parameter Semantics
   

   Parameter	Description
   wa="wsignout1.0"	Indicates that the request is for sign-out.
   wreply	Optional. Specifies the URL to return to after sign-out is complete. The federated partner should send this as the wreply parameter (if feasible) to the Microsoft Federation Gateway along with the sign-out cleanup request.

5. The federated partner begins its sign-out routine by deleting any cookies for its own sign-in site.
   
6. The federated partner sequentially redirects the user's browser to the sign-out routine at the Microsoft Federation Gateway service.
   
   HTTP message format
   
   GET [[WLID_WebLogoutURL]]?wa=wsignoutcleanup1.0&wreply=[[RETURN_URL]] HTTP/1.1

   
   Values for HTTP Message
   

   Value	Description
   WLID_WebLogoutURL	The PassiveRequestorEndpoints value retrieved from the Microsoft Federation Gateway metadata document (discussed previously in the section titled, ‘Information That the Microsoft Federation Gateway Provides to Federated Partners").
   RETURN_URL	Optional. The URL to which the Microsoft Federation Gateway should redirect after it has completed its sign-out routine.

   
   Notes
   
   • If the federated partner is displaying the Microsoft Federation Gateway sign-out routine in an IFRAME element (for example, in an AD FS implementation), the partner should not specify a return URL in the message in step 6 (contrary to what is shown in as is shown in the HTTP message example).
     
   • If the federated partner has redirected the entire page to the Microsoft Federation Gateway sign-out routine, the partner can specify a return URL to which the Microsoft Federation Gateway will redirect (by using the wreply parameter of the message in step 6) after completing the Microsoft Federation Gateway sign-out routine.
     However, we do not recommend this practice because there could be rare cases when the Microsoft Federation Gateway has a "nested federation" with a third-party resource provider in which it will only show the results of the partner’s sign-out in an IFRAME and cannot redirect.
     This behavior can occur because Microsoft Federation Gateway has no way of determining whether the partner’s sign-out succeeded; it must simply display the IFRAME and cannot redirect to the federated partner's site. If there is a failure (which would occur only very rarely), the Microsoft Federation Gateway displays error information on the page and does not redirect to the return URL specified by the partner.
     
   
   Query-string Parameter Semantics
   

   Parameter	Description
   wa=wsignoutcleanup1.0	Indicates that the request is for "sign-out cleanup."
   Wreply	Optional. Specifies the URL to which to return after clean-up (sign-out) is complete. If this parameter is specified, the requestor is redirected to the URL after clean-up. If this parameter is not specified, after clean-up the GET request finishes by returning any realm-specific data (such as a string indicating that clean-up is complete for the realm).

   Note:

   For simplicity in this example, the federated partner (identity provider) redirects to only one service (the Microsoft Federation Gateway). However, the federated partner could have signed the user in to other partner services in addition to the Microsoft Federation Gateway and would then redirect to those partners in turn for sign-out. For additional information, see the WS-Federation: Passive Requestor Profile specification.

7. The Microsoft Federation Gateway completes its sign-out routine, deleting any cookies for the user.
   
8. The Microsoft Federation Gateway sends a “clean-up complete” message to the user's browser.
   

User Signs Out at Federated Partner’s site

A user could initiate sign-out at the federated partner’s site. In such scenarios, steps 5 through 8 in the preceding process must be followed to sign the user out of Microsoft services.

Smart Client Sign-in

Figure 13 shows the sequence of messages between parties in a federated sign-in for a smart-client application. In this example, a federated user accesses a Windows Live service (Messenger) on a smart client.

Figure 13 Smart client sign-in message sequence

The following steps explain the sequence of events in Figure 13:

1. The Windows Live Messenger client (the client application in this example) sends the user name to the Microsoft Federation Gateway IP/STS to determine the user's realm.
   
2. The Microsoft Federation Gateway IP/STS returns realm information for the federated partner.
   
3. Windows Live Messenger sends sign-in credentials (user name and password) in a request to the federated partner’s IP/STS.
   
   Federated IP/STS Token Request (RST) Format
   The request contains the user name and password. (Information placeholders in this code example appear in bold type; for descriptions of the data they represent, see the table that follows the example.)
   
   <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wssc="http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
     <s:Header>
       <wsa:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
       <wsa:To s:mustUnderstand="1">[[WINLIVE_TokenReceiver]]</wsa:To>
       <wsa:MessageID>[[MESSAGE_ID]]</wsa:MessageID>
       <wsse:Security>
         <wsse:UsernameToken wsu:Id="user">
           <wsse:Username>[[USERNAME_STRING]]</wsse:Username>
           <wsse:Password>[[PASSWORD_STRING]]</wsse:Password>
         </wsse:UsernameToken>
         <wsu:Timestamp Id="Timestamp">
           <wsu:Created>[[ISSUE_INSTANT]]</wsu:Created>
           <wsu:Expires>[[EXPIRE_INSTANT]]</wsu:Expires>
         </wsu:Timestamp>
       </wsse:Security>
     </s:Header>
     <s:Body>
       <wst:RequestSecurityToken Id="RST_0”>
         <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
         <wsp:AppliesTo>
           <wsa:EndpointReference>
             <wsa:Address>[[WINLIVE_TokenReceiver]]</wsa:Address>
           </wsa:EndpointReference>
         </wsp:AppliesTo>
       </wst:RequestSecurityToken>
     </s:Body>
   </s:Envelope>

   
   Values Passed in the Request (RST)
   

   Value	Description
   WINLIVE_TokenReceiver	The Microsoft Federation Gateway endpoint (STS) that requires the authentication token. This will be set to the TokenIssuerEndpoints value in the Microsoft Federation Gateway federation metadata document (discussed previously in the section titled, ‘Information That the Microsoft Federation Gateway Provides to Federated Partners").
   MESSAGE_ID	The ID of the request. If this value is provided, it should also be included in the response to correlate the response to the request.
   USERNAME_STRING	The user name provided by the user.
   PASSWORD_STRING	The password provided by the user.
   ISSUE_INSTANT	A time stamp indicating the date and time that the request (RST) was generated. The time stamp is in yyyy-mm-ddThh:mm:ss.mmmZ format.
   EXPIRE_INSTANT	A time stamp indicating the date and time that the request (RST) expires. The time stamp is in yyyy-mm-ddThh:mm:ss.mmmZ format. The partner should not process expired requests.

4. The federated partner’s IP/STS returns the federated sign-in token.
   
   Federated IP/STS Token Response (RSTR) Template
   The response contains the SAML IP/STS token. (Information placeholders in this code example appear in bold type; for descriptions of the data they represent, see the table that follows the example.)
   
   <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
     <s:Header>
       <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue</a:Action>
       <a:RelatesTo>[[REQUEST_ID]]</a:RelatesTo>
       <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <u:Timestamp u:Id="_0">
           <u:Created>[[RESPONSE_ISSUE_INSTANT]]</u:Created>
           <u:Expires>[[RESPONSE_EXPIRE_INSTANT]]</u:Expires>
         </u:Timestamp>
       </o:Security>
     </s:Header>
     <s:Body>
       <wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
         <wst:TokenType>urn:oasis:names:tc:SAML:1.0</wst:TokenType>
   
         <wst:RequestedSecurityToken>
         [[AUTH_Token]]
         </wst:RequestedSecurityToken>
   
         <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
           <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
             <Address>[[WINLIVE_TokenReceiver]]</Address>
           </EndpointReference>
         </wsp:AppliesTo>
         <wst:Lifetime>
           <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">[[RSTR_ISSUE_INSTANT]]</wsu:Created>
           <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">[[RSTR_EXPIRE_INSTANT]]</wsu:Expires>
         </wst:Lifetime>
       </wst:RequestSecurityTokenResponse>
     </s:Body>
   </s:Envelope>

   
   Values passed in the Response (RSTR)
   

   Variable	Description
   REQUEST_ID	The request ID to which this response corresponds. This ID will be provided if the wsa:MessageID tag was provided in the request detailed in step 3 of this procedure. The value will be set to value of MESSAGE_ID described in step 3.
   RESPONSE_ISSUE_INSTANT	A time stamp indicating the date and time that the response was generated. The time stamp is in yyyy-mm-ddThh:mm:ss.mmmZ format.
   RESPONSE_EXPIRE_INSTANT	A time stamp indicating the date and time that the response expires. The time stamp is in yyyy-mm-ddThh:mm:ss.mmmZ format. Clients should not process expired responses.
   AUTH_Token	The SAML token representing that the user is authenticated at the federated partner. The token template and the values it contains are detailed in the Appendix at the end of this document.
   WINLIVE_TokenReceiver	The Microsoft Federation Gateway endpoint (STS) to which the authentication token is to be sent. The value will be set to the value of WINLIVE_TokenReceiver in the request described in step 3 of this procedure.
   RSTR_ISSUE_INSTANT	A time stamp indicating the date and time when the security token was generated. The time stamp is in yyyy-mm-ddThh:mm:ss.mmmZ format.
   RSTR_EXPIRE_INSTANT	A time stamp indicating the date and time when the security token expires. The time stamp is in yyyy-mm-ddThh:mm:ss.mmmZ format. Clients must not process tokens that are expired. Also, clients can reuse the token (and not send an authentication request to the federated partner) for future authentications until the expiration time is reached.

   
   Federated IP/STS Token Response (RSTR) Template Reporting Error
   The following is an example of a response returned in the case of an error due to an invalid user name or password.
   
   <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
     <s:Header>
       <a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
       <a:RelatesTo>>[[REQUEST_ID]]</a:RelatesTo>
     </s:Header>
     <s:Body>
       <s:Fault>
         <s:Code>
           <s:Value>s:Sender</s:Value>
           <s:Subcode>
             <s:Value xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurityToken</s:Value>
           </s:Subcode>
         </s:Code>
         <s:Reason>
           <s:Text xml:lang="en-US">An error occurred when processing the security tokens in the message.</s:Text>
         </s:Reason>
       </s:Fault>
     </s:Body>
   </s:Envelope>

   
   Value Passed in the Response (RSTR)
   

   Value	Description
   REQUEST_ID	The request ID to which this response corresponds. This ID will be provided if the wsa:MessageID tag was provided in the request detailed in step 3 of this procedure. The value will be set to value of MESSAGE_ID described in step 3.

5. Windows Live Messenger sends the federated sign-in token to the Microsoft Federation Gateway IP/STS.
   
6. The Microsoft Federation Gateway IP/STS returns the Windows Live Messenger sign-in token.
   
7. The Windows Live Messenger client sends the Messenger sign-in token to the Messenger service.
   
8. The Messenger service grants access to the service and returns user content as requested.
   

Note:
Users may be interrupted for "Terms Of Use" acceptance the first time they visit a service that requires it. Partners who want to suppress this interruption should contact the Microsoft at wlidextr@microsoft.com.

Smart Client Sign-out

A smart client can store authentication information in some type of cache (similar to the way in which a Web browser uses cookies to store such information). The smart client can then clear this cached authentication information when a user signs out from within the smart-client application. No communication is therefore required between a smart-client application and the federated partner IP/STS, the Microsoft Federation Gateway IP/STS, or the actual service itself to sign a user out of a smart-client application.

 Section 3—User Identity and Profile Management

In addition to sign-in and sign-out, several other common scenarios occur in a federated-identity relationship. Actions relating to the following scenarios can be accomplished by means of information passed to the Microsoft Federation Gateway in an authentication token:

• Identity creation
  
• User name change
  
• Profile updates
  
• Account conversion