WS-Federation

Why the hell am I writing about WS-Federation in 2024? Well, it turns out a lot of organizations, especially Microsoft shops with ADFS running on-premises, still default to using WS-Federation, and I’ve had customers come to me asking how to support it or even asking, “What is WS-Federation anyway? I can’t find anything about it on Google!”.

Unfortunately, most of my favorite articles and resources about WS-Federation have long since disappeared from the internet. So, in their honor and to keep the knowledge accessible, I’ve written a modern primer on the WS-Federation protocol, focussing on the core Single Sign-On (SSO) parts that are still in use, rather than any of the WS-Trust features of WS-Federation.

In this article, you will learn the basics of how the WS-Federation works, what the various protocol messages look like, and some of its security limitations. By the end of this article, you should be in a position to integrate your application (a Relying Party) with a WS-Federation identity provider (a Security Token Service) and debug any issues along the way.