Configure WS-Fed Applications

You can configure a WS-Fed application (service provider) to use Auth0 as an identity provider. Some commonly used WS-Fed applications are pre-configured in Auth0 and available via Single Sign-On Integrations. If a WS-Fed application is not listed in Single Sign-On Integrations, the WS-Fed application configuration can be accessed using the following steps.

  1. Go to Dashboard > Applications > Applications.

  2. Click Create App.

  3. Enter a name, and click Save.

  4. Go to the Addons tab.

  5. Scroll to WS-Fed Web App, and enter the Application Callback URL. This is your callback URL in the WS-Fed application to which the WS-Fed response will be posted. It may also be called the ACS or Assertion Consumer Service URL in some applications.

  6. Enter the Realm. This is an identifier sent by the WS-Fed application and is used to identify the application in the response.

Configure claims included in the WS-Fed token response

Unlike the SAML Web App addon, the WS-Fed Web App addon does not include configuration settings that allow you to configure the token generated by Auth0. If you need to change the default settings, you can create a rule similar to:

function (user, context, callback) {

  // only apply changes for the WS-Fed application
  if (context.clientName !== 'Your ws-fed application name') {
    return callback(null, user, context);
  }

  // exclude the upn claim creation (defaults to true)
  context.samlConfiguration.createUpnClaim = false;

  // exclude the identities array (defaults to true)
  context.samlConfiguration.mapIdentities = false;

  // exclude claims that were not explicitly mapped (defaults to true)
  context.samlConfiguration.passthroughClaimsWithNoMapping = false;

  // this is the default mapping. Remove or change as you like.
  // Note that the key (left side) is the attribute name (namespace-qualified)
  // and the value (right side) is the property name from the user object.
  // you can also use transient values from the user object. For example, for:
  //    user.calculated_field = <some expression>;
  // then add this mapping:
  //    'some_claim': 'calculated_field', 
  context.samlConfiguration.mappings = {
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier': 'user_id',
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'email',
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'name',
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname': 'given_name',
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname': 'family_name',
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn': 'upn',
    'http://schemas.xmlsoap.org/claims/Group': 'groups'
  };

  callback(null, user, context);
}

Custom domains

To use your WS-Fed apps with a custom domain and with Auth0 as the IdP, update your service provider with new identity provider metadata from Auth0. You can obtain the metadata from:

https://<YOUR CUSTOM DOMAIN>/wsfed/FederationMetadata/2007-06/FederationMetadata.xml.

Encrypted responses

If you require encrypted responses, you should use SAML to connect to ADFS. See Configure ADFS SAML Connections and Special Configuration Scenarios: Sign and Encrypt SAML Requests.

Learn more