Configure WS-Federation provider settings for portals

A single Active Directory Federation Services server can be added (or another WS-Federation–compliant security token service) as an identity provider. In addition, a single Azure ACS namespace can be configured as a set of individual identity providers. The settings for both AD FS and ACS are based on the properties of the WsFederationAuthenticationOptions class.

Create an AD FS relying party trust

Using the AD FS Management tool, select Trust Relationships > Relying Party Trusts.

  1. Click Add Relying Party Trust.
  2. Welcome: Click Start.
  3. Select Data Source: Select Enter data about the relying party manually, click Next.
  4. Specify Display Name: Enter a name, click Next. Example: https://portal.contoso.com/
  5. Choose Profile: Select AD FS 2.0 profile, click Next.
  6. Configure Certificate: Click Next.
  7. Configure URL: Check Enable support for the WS-Federation Passive protocol.

Relying party WS-Federation Passive protocol URL: Enter https://portal.contoso.com/signin-federation

  1. Configure Identities: Specify https://portal.contoso.com/, click Add, click Next If applicable, more identities can be added for each additional relying party portal. Users will be able to authenticate across any or all of the available identities.
  2. Choose Issuance Authorization Rules: Select Permit all users to access this relying party, click Next.
  3. Ready to Add Trust: Click Next.
  4. Click Close.

Add the Name ID claim to the relying party trust:

TransformWindows account name to Name ID claim (Transform an Incoming Claim):

Create AD FS site settings

Apply portal site settings referencing the above AD FS Relying Party Trust.

Note

A standard AD FS (STS) configuration only uses the following settings (with example values):

The WS-Federation metadata can be retrieved in PowerShell by running the following script on the AD FS server: Import-Module adfs Get-ADFSEndpoint -AddressPath /FederationMetadata/2007-06/FederationMetadata.xml

Site Setting Name Description
Authentication/Registration/ExternalLoginEnabled Enables or disables external account sign-in and registration. Default: true
Authentication/WsFederation/ADFS/MetadataAddress Required. The WS-Federation metadata URL of the AD FS (STS) server. Commonly ending with the path:/FederationMetadata/2007-06/FederationMetadata.xml . Example:https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml. MSDN.
Authentication/WsFederation/ADFS/AuthenticationType Required. The OWIN authentication middleware type. Specify the value of the entityID attribute at the root of the federation metadata XML. Example: http://adfs.contoso.com/adfs/services/trust. MSDN.
Authentication/WsFederation/ADFS/Wtrealm Required. The AD FS relying party identifier. Example: https://portal.contoso.com/. MSDN.
Authentication/WsFederation/ADFS/Wreply Required. The AD FS WS-Federation passive endpoint. Example: https://portal.contoso.com/signin-federation. MSDN.
Authentication/WsFederation/ADFS/Caption Recommended. The text that the user can display on a sign in user interface. Default: ADFS. MSDN.
Authentication/WsFederation/ADFS/CallbackPath An optional constrained path on which to process the authentication callback. MSDN.
Authentication/WsFederation/ADFS/SignOutWreply The 'wreply' value used during sign-out. MSDN.
Authentication/WsFederation/ADFS/BackchannelTimeout Timeout value for back channel communications. Example: 00:05:00 (5 mins). MSDN.
Authentication/WsFederation/ADFS/RefreshOnIssuerKeyNotFound Determines if a metadata refresh should be attempted after a SecurityTokenSignatureKeyNotFoundException. MSDN.
Authentication/WsFederation/ADFS/UseTokenLifetime Indicates that the authentication session lifetime (e.g. cookies) should match that of the authentication token. MSDN.
Authentication/WsFederation/ADFS/AuthenticationMode The OWIN authentication middleware mode. MSDN.
Authentication/WsFederation/ADFS/SignInAsAuthenticationType The AuthenticationType used when creating the System.Security.Claims.ClaimsIdentity. MSDN.
Authentication/WsFederation/ADFS/ValidAudiences Comma separated list of audience URLs. MSDN.
Authentication/WsFederation/ADFS/ValidIssuers Comma separated list of issuer URLs. MSDN.
Authentication/WsFederation/ADFS/ClockSkew The clock skew to apply when validating times. MSDN.
Authentication/WsFederation/ADFS/NameClaimType The claim type used by the ClaimsIdentity to store the name claim. MSDN.
Authentication/WsFederation/ADFS/RoleClaimType The claim type used by the ClaimsIdentity to store the role claim. MSDN.
Authentication/WsFederation/ADFS/RequireExpirationTime A value indicating whether tokens must have an 'expiration' value. MSDN.
Authentication/WsFederation/ADFS/RequireSignedTokens A value indicating whether a System.IdentityModel.Tokens.SecurityToken xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" can be valid if not signed. MSDN.
Authentication/WsFederation/ADFS/SaveSigninToken A Boolean to control if the original token is saved when a session is created. MSDN.
Authentication/WsFederation/ADFS/ValidateActor A value indicating whether the System.IdentityModel.Tokens.JwtSecurityToken.Actor should be validated. MSDN.
Authentication/WsFederation/ADFS/ValidateAudience A Boolean to control if the audience will be validated during token validation. MSDN.
Authentication/WsFederation/ADFS/ValidateIssuer A Boolean to control if the issuer will be validated during token validation. MSDN.
Authentication/WsFederation/ADFS/ValidateLifetime A Boolean to control if the lifetime will be validated during token validation. MSDN.
Authentication/WsFederation/ADFS/ValidateIssuerSigningKey A Boolean that controls if validation of the System.IdentityModel.Tokens.SecurityKey that signed the securityToken xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" is called. MSDN.
Authentication/WsFederation/ADFS/Whr Specifies a "whr" parameter in the identity provider redirect URL. MSDN.

WS-Federation settings for Azure Active Directory

The previous section describing AD FS can also be applied to Azure Active Directory (Azure AD), because Azure AD behaves like a standard WS-Federation compliant security token service. To get started sign into the Azure Management Portal and create or select an existing directory. When a directory is available follow the instructions to add an application to the directory.

  1. Under the Applications menu of the directory, click the Add button
  2. Choose Add an application my organization is developing
  3. Specify a custom name for the application and choose the type web application and/or web API
  4. For the Sign-On URL and the App ID URI, specify the URL of the portal for both fields https://portal.contoso.com/ This corresponds to the Wtrealm site setting value
  5. At this point, a new application is created. Navigate to the Configure section in the menu Under the single sign-on section, update the first Reply URL entry to include a path in the URL http://portal.contoso.com/signin-azure-ad
    • This corresponds to the Wreply site setting value
  6. Click Save in the footer
  7. In the footer menu click the View Endpoints button and note the Federation Metadata Document field

This corresponds to the MetadataAddress site setting value

  • Paste this URL in a browser window to view the federation metadata XML and note the entityID attribute of the root element

  • This corresponds to the AuthenticationType site setting value

Note

A standard Azure AD configuration only uses the following settings (with example values):

Configure Facebook app authentication

Apply the configuration described in the topic Facebook App (Page Tab) authentication for portals.

See also

Configure Dynamics 365 portal authentication
Set authentication identity for a portal
OAuth2 provider settings for portals
Open ID Connect provider settings for portals
SAML 2.0 provider settings for portals
Facebook App (Page Tab) authentication for portals