WS-Federation is supported both for apps (e.g. any WIF based app) and for identity providers (e.g. ADFS or ACS).
All registered apps in Auth0 get a WS-Fed endpoint of the form:
The metadata endpoint that you can use to configure the Relying Party:
All options for WS-Fed are available under the advanced settings for an App.
Claims sent in the SAML token, as well as other lower level settings of WS-Fed & SAML-P can also be configured with the
samlConfiguration object through rules.
The following optional parameters can be used when redirecting to the WS-Fed endpoint:
wreply: Callback URL
wctx: Your application's state
whr: The name of the connection (to skip the login page)
If you are connecting a WS-Fed IdP (e.g. ADFS, Azure ACS and IdentityServer are examples), then the easiest is to use the ADFS connection type. Using this you just enter the server address. Auth0 will probe for the Federation Metadata endpoint and import all the required parameters: certificates, URLs, etc.
If both primary and secondary certificates are present in the Federation Metadata, then both would work. Connection parameters can be updated anytime (by clicking on Edit and Save). This allows simple certificate rollover.