WS-Federation
Status: Final
WS-Federation is a Microsoft/IBM-developed federation protocol predating SAML 2.0. It remains in production in large enterprises running ADFS (Active Directory Federation Services) and is still supported by Entra ID and SharePoint. Understanding it is essential for hybrid identity scenarios and legacy migration assessments.
What WS-Federation Is
WS-Federation is part of the WS-* web services stack. It defines how Security Tokens (primarily SAML tokens) are requested from a Security Token Service (STS) and presented to Relying Parties (RPs).
Key distinction from SAML 2.0: WS-Federation is the transport/protocol wrapper; SAML tokens are still the assertion format carried inside. You can think of WS-Federation as the envelope and SAML as the letter.
Protocol Components
| Component | WS-Federation Term | SAML 2.0 Equivalent |
|---|---|---|
| Identity Provider | Security Token Service (STS) | Identity Provider (IdP) |
| Service Provider | Relying Party (RP) | Service Provider (SP) |
| Token | Security Token (SAML assertion) | Assertion |
| Endpoint | STS Endpoint (MEX, passive endpoint) | SSO endpoint |
| Metadata | Federation Metadata XML | SAML Metadata XML |
WS-Federation Passive Requestor Profile (Browser SSO)
The Passive Requestor Profile is what you see in browser-based SSO — called "passive" because the browser (a dumb HTTP client) does the redirects, not a SOAP client.
Browser Relying Party (RP) STS (ADFS / Entra ID)
│── Access resource ────>│ │
│<─ Redirect to STS ─────│ │
│ ?wa=wsignin1.0&wtrealm=<RP>&wctx=... │
│── Sign in to STS ──────────────────────────────── │
│<─ POST form with wresult (SAML token) ─────────── │
│── POST token to RP ────>│ │
│<─ Access granted ───────│ │
Key query parameters:
| Parameter | Meaning |
|---|---|
wa=wsignin1.0 | WS-Federation sign-in action |
wtrealm | Identifier of the relying party (like entityID in SAML) |
wreply | Reply URL (like ACS URL in SAML) |
wctx | State bag (round-tripped) |
wresult | The RSTR (RequestSecurityTokenResponse) containing the token |
ADFS and WS-Federation
ADFS (Active Directory Federation Services) is Microsoft's on-premises STS. It implements both WS-Federation and SAML 2.0 using the same underlying token issuing pipeline.
ADFS uses WS-Federation for:
- SharePoint on-premises integration
- Legacy Microsoft apps (Dynamics, older O365 configs)
- Custom applications using WIF (.NET Windows Identity Foundation)
Security relevance: ADFS servers are Tier 0 assets. Compromising the ADFS server gives access to the WS-Federation signing certificate — the same key used for Golden SAML.
WS-Federation Metadata
ADFS publishes federation metadata at:
https://<adfs_server>/FederationMetadata/2007-06/FederationMetadata.xml
This public XML document contains:
- Signing certificate (public key)
- Endpoint URLs
- Supported token types
Attacker use: publicly accessible federation metadata reveals signing certificate details and endpoints without authentication.
WS-Federation vs SAML 2.0 vs OIDC
| Feature | WS-Federation | SAML 2.0 | OIDC |
|---|---|---|---|
| Token format | SAML (wrapped in SOAP/HTTP) | SAML assertion | JWT |
| Transport | HTTP redirect + POST | HTTP redirect + POST | HTTP redirect + API |
| Age | ~2003 | ~2005 | ~2014 |
| Modern adoption | Legacy only | Enterprise SSO | Modern apps, APIs |
| Entra ID support | Yes (legacy) | Yes | Yes (primary) |
| Attack surface | Same as SAML | Golden SAML, assertion forgery | Token theft, device code |
Migration Context
Microsoft is deprecating WS-Federation-based authentication in Entra ID for several scenarios. Organizations still using WS-Federation → OIDC migration paths create coexistence windows where both protocols are active simultaneously — both must be monitored.
Cross-Links
| Topic | Link |
|---|---|
| SAML | saml |
| Entra Overview | entra-overview |
| Golden SAML | golden-saml |