Configure Web.config to Use the Claims-Aware Agent

Applies To: Windows Server 2008

You can use the following procedure to configure the web.config file that your claims-aware application uses to work with the claims-aware agent. When you complete the procedure, the claims-aware agent will be able to:

  • Locate and collaborate with the resource federation server that is required to authenticate users to the application.

  • Identify the claim application's URL that the Federation Service uses.

  • Identify the local path to the claims application on the AD FS-enabled Web server.

  • Identify the local path to use to store log files for the application.

The changes that you make to the web.config file are also used to inform the claims-aware application where to load the Active Directory Federation Services (AD FS) assemblies that are necessary to start the AD FS Web Agent Authentication Service.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

To configure the web.config to use the claims-aware agent

  1. Locate the web.config file that is used by your claims-aware application, and then open it with Notepad. This file should be located in \inetpub\wwwroot\virtualdirectory, where your claims-aware application files are stored.

  2. If the following code does not exist in the web.config file, paste the code into the file:

    <?xml version="1.0" encoding="utf-8" ?>



    <sectionGroup name="system.web">

    <section name="websso" type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler, System.Web.Security.SingleSignOn, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />




    <compilation defaultLanguage="c#" debug="true">


    <add assembly="System.Web.Security.SingleSignOn, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />

    <add assembly="System.Web.Security.SingleSignOn.ClaimTransforms, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />



    <customErrors mode="Off" />

    <authentication mode="None" />


    <add name="Identity Federation Services Application Authentication Module" type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />






    <cookies writecookies="true">














    <system.diagnostics> (this section is optional and is used for debugging)


    <add name="WebSsoDebugLevel" value="15" />


    <trace autoflush="true" indentsize="3">


    <add name="ADFSLogListener" type="System.Web.Security.SingleSignOn.BoundedSizeLogFileTraceListener, System.Web.Security.SingleSignOn, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" initializeData="applogfile"/>






In the following steps of this procedure, replace the highlighted text with information that is specific to your application and your federation server.

  1. Replace myapp in <returnurl>https://myapp</returnurl> with the URL address for the claims-aware application that will be loaded. The URL value here must match the Application URL value that is specified in the properties page of the claims-aware application (which is located under Federation Service\Trust Policy\Applications in the Active Directory Federation Services snap-in) of the resource partner.

  2. Replace apppath in <path>/apppath</path> with the path of the virtual directory where you are storing the claims-aware application.

  3. Replace myresourcefederationserver in <fs>https://myresourcefederationserver/adfs/fs/federationserverservice.asmx</fs> with a valid resource federation server name.

  4. Replace applogfileininitializeData="applogfile" with the local path to the location of the application's log file.

  5. In Notepad, on the File menu, click Save.