Use this guide to configure WS-Federation and WS-Trust in version 8.1.


Installation of SecureAuth IdP version 8.1

Configuring WS-Federation
  1. Click on the Post Authentication tab.
  2. In the Post Authentication section for Authenticated User Redirect, select WS-Federation Assertion.
  3. User ID Mapping Section: These settings define the profile property and format to be used for the Subject/NameIdentifier section of the SAML assertion.

    • User ID Mapping: A mapping to the profile property to be used for the Subject.
    • Name ID Format: Format of the value used for the Subject.
    • Encode to Base64: Specifies if the property value should be Base64 encoded or not. Values are: (True, False)
  4. SAML Assertion / WS-Federation. Additional settings for the WS-Federation assertion.

    • WSFed Reply To/SAML Target URL:Specify a value here if the application being integrated does not provide a wreply query string parameter.
    • WSFed/SAML Issuer: Specify a unique value for the issuer. An example value is the URL of the SecureAuth IdP appliance, e.g.
    • SAML Consumer URL: Use to specify the wctx parameter which is used in the WS-Federation POST.
    • SAML Audience: Use to specify the audience which refers to the relying parties in the WS-Federation Assertion.
  5. SAML Attributes / WS Federation. Configure up to 10 attribute values to assert. Below is an example of an ImmutableID used for integration to Office 365. 

    • Name: A friendly name for the attribute assertion. This value is not included in the actual WS-Fed SAML assertion, but rather is included in the FederationMetadata.xml metadata. 
    • Namespace:  The actual attribute namespace. This value is case sensitive and must align with what the integrating application is expecting to be asserted.

      A list of commonly used namespaces can be found here: In addition, custom namespaces can be used.

    • Format: This specifies how the attribute value should be handled and formatted for the assertion. Value:  The profile property mapping to be used for the attribute value.

BasicNo action in WS-Federation
URINo action in WS-Federation
UnspecifiedNo action in WS-Federation
Base64 EncodedWill Base64 encode the value of the mapped profile property. Typically used with integration to Office 365.
Group ListFor use with the GroupList profile property mapping. This will parse the multi-valued group membership into individual attribute value assertions. Commonly used with SharePoint integrations.

    • Value:  The profile property mapping to be used for the attribute value.
Configure WS-Trust Endpoints
  1. When the post authentication method has been set to WS-Federation Assertion, the following section will be available at the bottom of the post authentication page. Click on the link to be redirected to the WS-Trust configuration page.
  2. WS-Trust Host Name. Specify the host/base address of the publicly accessible WS-Trust service endpoint. 
  3. WS-Trust Endpoint Configuration. Enable/disable each WS-Trust endpoint as required by the integration.
  • /2005/usernamemixed : A username/password endpoint. Typically used by web clients. This refers to WS-Trust 1.2.
    If you are integrating with Office 365, use this version. 
  • /2005/windowstransport : Used by rich clients capable of Windows Integrated Authentication for a single sign on experience.
  • /13/usernamemixed: This endpoint is used to pass the user name and password in the Request Security Token (RST) with the 1.3 XML markup. If you are integrating with Microsoft Dynamics CRM, use this version.
  • /13/windowstransport: Used with clients that leverage IWA (Integrated Windows Authentication). It uses an NTLM challenge and response to authenticate the endpoint. This feature also supports Microsoft Dynamics CRM. This is typically used by Domain-joined computers that use IWA and NTLM to pick up those credentials.
  • /13/issuedtokenmixedasymmeticalbasic256 : This Microsoft Dynamics CRM requires that this endpoint exists.
Related Documentation