Configure WS-Federation provider settings for portals

A single Active Directory Federation Services server can be added (or another WS-Federation–compliant security token service) as an identity provider. In addition, a single Azure ACS namespace can be configured as a set of individual identity providers. The settings for both AD FS and ACS are based on the properties of the WsFederationAuthenticationOptions class.

Create an AD FS relying party trust

Using the AD FS Management tool, go to Trust Relationships > Relying Party Trusts.

  1. Select Add Relying Party Trust.
  2. Welcome: Select Start.
  3. Select Data Source: Select Enter data about the relying party manually, and then select Next.
  4. Specify Display Name: Enter a name, and then select Next. Example:
  5. Choose Profile: Select AD FS 2.0 profile, and then select Next.
  6. Configure Certificate: Select Next.
  7. Configure URL: Select the Enable support for the WS-Federation Passive protocol check box.

Relying party WS-Federation Passive protocol URL: Enter

  1. Configure Identities: Specify, select Add, and then select Next. If applicable, more identities can be added for each additional relying party portal. Users will be able to authenticate across any or all of the available identities.
  2. Choose Issuance Authorization Rules: Select Permit all users to access this relying party, and then select Next.
  3. Ready to Add Trust: Select Next.
  4. Select Close.

Add the Name ID claim to the relying party trust:

Transform Windows account name to Name ID claim (Transform an Incoming Claim):

  • Incoming claim type: Windows account name
  • Outgoing claim type: Name ID
  • Outgoing name ID format: Unspecified
  • Pass through all claim values

Create AD FS site settings

Apply portal site settings referencing the above AD FS Relying Party Trust.


A standard AD FS (STS) configuration only uses the following settings (with example values):

The WS-Federation metadata can be retrieved in PowerShell by running the following script on the AD FS server:

Import-Module adfs
Get-ADFSEndpoint -AddressPath /FederationMetadata/2007-06/FederationMetadata.xml
Site Setting Name Description
Authentication/Registration/ExternalLoginEnabled Enables or disables external account sign-in and registration. Default: true
Authentication/WsFederation/ADFS/MetadataAddress Required. The WS-Federation metadata URL of the AD FS (STS) server. Commonly ending with the path:/FederationMetadata/2007-06/FederationMetadata.xml . Example: For more information: WsFederationAuthenticationOptions.MetadataAddress.
Authentication/WsFederation/ADFS/AuthenticationType Required. The OWIN authentication middleware type. Specify the value of the entityID attribute at the root of the federation metadata XML. Example: For more information: AuthenticationOptions.AuthenticationType.
Authentication/WsFederation/ADFS/Wtrealm Required. The AD FS relying party identifier. Example: For more information: WsFederationAuthenticationOptions.Wtrealm.
Authentication/WsFederation/ADFS/Wreply Required. The AD FS WS-Federation passive endpoint. Example: For more information: WsFederationAuthenticationOptions.Wreply.
Authentication/WsFederation/ADFS/Caption Recommended. The text that the user can display on a sign in user interface. Default: ADFS. For more information: WsFederationAuthenticationOptions.Caption.
Authentication/WsFederation/ADFS/CallbackPath An optional constrained path on which to process the authentication callback. For more information: WsFederationAuthenticationOptions.CallbackPath.
Authentication/WsFederation/ADFS/SignOutWreply The 'wreply' value used during sign-out. For more information: WsFederationAuthenticationOptions.SignOutWreply.
Authentication/WsFederation/ADFS/BackchannelTimeout Timeout value for back channel communications. Example: 00:05:00 (5 mins). For more information: WsFederationAuthenticationOptions.BackchannelTimeout.
Authentication/WsFederation/ADFS/RefreshOnIssuerKeyNotFound Determines if a metadata refresh should be attempted after a SecurityTokenSignatureKeyNotFoundException. For more information: WsFederationAuthenticationOptions.RefreshOnIssuerKeyNotFound.
Authentication/WsFederation/ADFS/UseTokenLifetime Indicates that the authentication session lifetime (e.g. cookies) should match that of the authentication token. WsFederationAuthenticationOptions.UseTokenLifetime.
Authentication/WsFederation/ADFS/AuthenticationMode The OWIN authentication middleware mode. For more information: AuthenticationOptions.AuthenticationMode.
Authentication/WsFederation/ADFS/SignInAsAuthenticationType The AuthenticationType used when creating the System.Security.Claims.ClaimsIdentity. For more information: WsFederationAuthenticationOptions.SignInAsAuthenticationType.
Authentication/WsFederation/ADFS/ValidAudiences Comma separated list of audience URLs. For more information: TokenValidationParameters.AllowedAudiences.
Authentication/WsFederation/ADFS/ValidIssuers Comma separated list of issuer URLs. For more information: TokenValidationParameters.ValidIssuers.
Authentication/WsFederation/ADFS/ClockSkew The clock skew to apply when validating times.
Authentication/WsFederation/ADFS/NameClaimType The claim type used by the ClaimsIdentity to store the name claim.
Authentication/WsFederation/ADFS/RoleClaimType The claim type used by the ClaimsIdentity to store the role claim.
Authentication/WsFederation/ADFS/RequireExpirationTime A value indicating whether tokens must have an 'expiration' value.
Authentication/WsFederation/ADFS/RequireSignedTokens A value indicating whether a System.IdentityModel.Tokens.SecurityToken xmlns= can be valid if not signed.
Authentication/WsFederation/ADFS/SaveSigninToken A Boolean to control if the original token is saved when a session is created.
Authentication/WsFederation/ADFS/ValidateActor A value indicating whether the System.IdentityModel.Tokens.JwtSecurityToken.Actor should be validated.
Authentication/WsFederation/ADFS/ValidateAudience A Boolean to control if the audience will be validated during token validation.
Authentication/WsFederation/ADFS/ValidateIssuer A Boolean to control if the issuer will be validated during token validation.
Authentication/WsFederation/ADFS/ValidateLifetime A Boolean to control if the lifetime will be validated during token validation.
Authentication/WsFederation/ADFS/ValidateIssuerSigningKey A Boolean that controls if validation of the System.IdentityModel.Tokens.SecurityKey that signed the securityToken xmlns= is called.
Authentication/WsFederation/ADFS/Whr Specifies a "whr" parameter in the identity provider redirect URL. For more information: wsFederation.

WS-Federation settings for Azure Active Directory

The previous section describing AD FS can also be applied to Azure Active Directory (Azure AD), because Azure AD behaves like a standard WS-Federation compliant security token service. To get started sign into the Azure Management Portal and create or select an existing directory. When a directory is available follow the instructions to add an application to the directory.

  1. Under the Applications menu of the directory, select Add.

  2. Choose Add an application my organization is developing.

  3. Specify a custom name for the application, and then choose the type web application and/or web API.

  4. For the Sign-On URL and the App ID URI, specify the URL of the portal for both fields

    • This corresponds to the Wtrealm site setting value.
  5. At this point, a new application is created. Go to the Configure section in the menu.

  6. In the single sign-on section, update the first Reply URL entry to include a path in the URL

    • This corresponds to the Wreply site setting value.
  7. Select Save in the footer.

  8. In the footer menu, select View Endpoints and note the Federation Metadata Document field.

    • This corresponds to the MetadataAddress site setting value.
    • Paste this URL in a browser window to view the federation metadata XML, and note the entityID attribute of the root element.
    • This corresponds to the AuthenticationType site setting value.


A standard Azure AD configuration only uses the following settings (with example values):

See also

Configure Dynamics 365 for Customer Engagement portal authentication
Set authentication identity for a portal
OAuth2 provider settings for portals
Open ID Connect provider settings for portals
SAML 2.0 provider settings for portals