Web Services Federation

Learn how EAA identity provider acts as a secure token service (STS) provider to access an application supporting WS-Federation protocol.

Web Services (WS) Federation is an identity federation specification that defines the mechanism for allowing different security realms or domains to transfer information on identities, identity attributes and authentication tokens.

You can configure Enterprise Application Access (EAA) as an identity provider (IdP) to work with an application as a relying party using the WS-Federation protocol in passive requestor profile mode. In the context of WS-Federation specification, EAA IdP is a Security Token Service (STS) provider. As an STS provider, EAA IdP will support only SAML 1.1 tokens.

The WS-Federation protocol is the only identity federation protocol of choice for many legacy Microsoft applications such as Sharepoint.

This diagram describes the communication between the federation server in service provider (SP) realm, the federation server in an EAA IdP realm, and the end-user's machine and browser, which allows the authenticated user access on premise applications such as Sharepoint.

WS-Federation flow
The process for the successful authentication of a user to access a custom SaaS application like Sharepoint using WS-Federation protocol is:
  1. An end user requests access to a service, like sharepoint server which is protected by SP federation server.
  2. The SP verifies that there is no authenticated session and that the requester (browser) did not present a WS-Federation trust token from a trusted STS provider. It then redirects the requester to the trusted STS provider with an authentication request.
  3. The STS provider validates the request and establishes the user identity using the configured authentication schemes. If the user had previously logged into the IdP, the identity is established by the existing session.
  4. User information is retrieved by the IdP federation server using user's attributes in LDAP or AD for authorization.
  5. The IdP federation server generates a SAML 1.1 assertion and returns it to the SP federation server, via the browser.
  6. The SP verifies the received SAML 1.1 token (authentication statement, attribute statement, and signature) based on pre-established trust. If the SAML 1.1 token and the user identity embedded in the token are acceptable to the SP, it will generate a new session, granting access to the requester for a duration that may depend on its local session policy.
  7. The requester is granted access to the application resources scoped by the user’s identity and other attributes such as group membership for the duration of the session.