<wsFederation>

.NET Framework (current version)
 

Provides configuration for the WSFederationAuthenticationModule (WSFAM).

<system.identityModel.services>
<federationConfiguration>
<wsFederation>

<system.identityModel.services>  
  <federationConfiguration>  
    <wsFederation authenticationType=xs:string (URI)  
        freshness=xs:decimal  
        homerealm=xs:string (URI)  
        issuer=xs:string (URI)  
        persistentCookiesOnPassiveRedirects=xs:boolean  
        passiveRedirectEnabled=xs:boolean  
        policy=xs:string (URI)  
        realm=xs:string (URI)  
        reply=xs:string (URI)  
        request=xs:string (URI)  
        requestPtr=xs:string (URI)  
        requireHttps=xs:boolean  
        resource=xs:string (URI)  
        signInQueryString=xs:string  
        signOutQueryString=xs:string  
        signOutReply=xs:string (URL)  
    </wsFederation>  
  </federationConfiguration>  
</system.identityModel.services>  

The following sections describe attributes, child elements, and parent elements.

Attributes

AttributeDescription
authenticationTypeA URI that specifies the authentication type. Sets the WS-Federation sign-in request wauth parameter. Optional. The default is an empty string, which specifies that the wauth parameter is not included in the request.
freshnessThe desired maximum age of authentication requests, in minutes. Sets the WS-Federation sign-in request wfresh parameter. Optional. The default is zero. Optional. Warning: In the next release of .NET Framework 4.5, the freshness attribute will be of type xs:string and its default value will be null.
homeRealmThe home realm of the identity provider (IP) to use for authentication. Sets the WS-Federation sign-in request whr parameter. Optional. The default is an empty string, which specifies that the whr parameter is not included in the request.
issuerThe URI of the intended token issuer. Sets the base URL of WS-Federation sign-in requests and sign-out requests Required.
persistentCookiesOnPassiveRedirectsSpecifies whether persistent cookies are issued on authentication. Optional. The default is “false”, cookies are not issued.
passiveRedirectEnabledSpecifies whether the WSFAM is enabled to automatically redirect unauthorized requests to an STS. Optional. The default is “true”, unauthorized requests are automatically redirected.
policyA URL that specifies the location of the relevant policy to use on sign-in requests. The default is an empty string. Sets the WS-Federation sign-in request wp parameter. Optional. The default is an empty string, which specifies that the wp parameter is not included in the request.
realmThe URI of the requesting realm. (A URI that identifies the relying party (RP) to the security token service (STS).) Sets the request wtrealm WS-Federation sign-in request parameter. Required.
replyA URL that identifies the address at which the relying party (RP) application would like to receive replies from the Security Token Service (STS). Sets the WS-Federation sign-in request wreply parameter. Optional. The default is an empty string, which specifies that the wreply parameter is not included in the request.
requestThe token issuance request. Sets the WS-Federation sign-in request wreq parameter. Optional. The default is an empty string, which specifies that the wreq parameter is not included in the request. Not including the wreq or the wreqptr parameter in the request implies that the STS knows what kind of token to issue.
requestPtrA URL that specifies the location of the token issuance request. Sets the request wreqptr parameter. Optional. The default is an empty string, which specifies that the wreqptr parameter is not included in the request. Not including the wreq or the wreqptr parameter in the request implies that the STS knows what kind of token to issue.
requireHttpsSpecifies whether communication with the security token service (STS) must use HTTPS protocol. Optional. The default is “true”, HTTPS must be used.
resourceA URI that identifies the resource being accessed, the relying party (RP), to the to the security token service (STS). Optional. Sets the WS-Federation sign-in request wres parameter. Optional. The default is an empty string, which specifies that the wres parameter is not included in the request. Note: wres is a legacy parameter. Specify the realm attribute to use the wtrealm parameter instead.
signInQueryStringProvides an extensibility point to specify application defined query parameters in the WS-Federation sign-in request URL. Optional. The default is an empty string, which specifies that no additional parameters should be included in the request. The parameters are specified as a query string fragment using the following form: “param1=value1&param2=value2&param3=value3” and so on. Note: In a configuration file the ‘&” character in the query string must be specified using its entity reference, &.
signOutQueryStringProvides an extensibility point to specify application defined query parameters in the WS-Federation sign-in request URL. Optional. The default is an empty string, which specifies that no additional parameters should be included in the request. The parameters are specified as a query string fragment using the following form: “param1=value1&param2=value2&param3=value3” and so on. Note: In a configuration file the ‘&” character in the query string must be specified using its entity reference, &.
signOutReplySpecifies the URL to which the client should be redirected by the security token service (STS) during passive sign-out through the WS-Federation protocol. Sets the wreply parameter on a WS-Federation sign-out request. Optional. The default is an empty string, which specifies that no additional parameters should be included in the request.

Child Elements

None

Parent Elements

ElementDescription
<federationConfiguration>Contains the settings that configure the WSFederationAuthenticationModule (WSFAM) and the SessionAuthenticationModule (SAM).

You can use the <wsFederation> element to configure default WS-Federation parameter settings and default behavior for the WSFAM. WS-Federation parameter settings defined under the <wsFederation> element set equivalent properties exposed by the WSFederationAuthenticationModule class. These properties remain the same for every request issued by the WSFAM. You can change the WS-Federation parameters dynamically during request processing by adding event handlers for the events exposed by WSFAM; for example, the RedirectingToIdentityProvider event. For more information, see the documentation for the WSFederationAuthenticationModule class.

The <wsFederation> element is represented by the WSFederationElement class. The configuration object itself is represented by the T:System.IdentityModel.Services.Configuration.WSFederationConfiguration class. A single T:System.IdentityModel.Services.Configuration.WSFederationConfiguration instance is set on the FederationConfiguration object that is accessed through the FederatedAuthentication.FederationConfiguration property and provides configuration for the WSFAM.

The following XML shows a <wsFederation> element that specifies settings for the WSFAM.

System_CAPS_ICON_warning.jpg Warning

In this example, the WSFAM is not required to use HTTPS. This is because the requireHttps attribute on the <wsFederation> element is set false. This setting is not recommended for most production environments as it may present a security risk.

<wsFederation passiveRedirectEnabled="true"   
  issuer="http://localhost:15839/wsFederationSTS/Issue"   
  realm="http://localhost:50969/"   
  reply="http://localhost:50969/"   
  requireHttps="false"   
  signOutReply="http://localhost:50969/SignedOutPage.html"   
  signOutQueryString="Param1=value2&Param2=value2"   
  persistentCookiesOnPassiveRedirects="true" />  
  

WSFederationAuthenticationModule
FederatedAuthentication.FederationConfiguration

Show: