PingFederate supports the WS-Federation Passive Requestor Profile for SP-initiated SSO, enabling interoperability with Microsoft's Active Directory Federation Service (ADFS). This profile provides for straightforward redirects and HTTP GET and POST methods to transport SAML assertions or JSON Web Tokens (JWTs) as security tokens for SSO and logout request and response messages for SLO.

Note:

Unlike SAML, WS-Federation consolidates the endpoints for SLO and SSO. So when you set up a WS-Federation connection in PingFederate, both types of transactions are available to an SP web application that supports them both.

For more information about WS-Federation and the Passive Requestor Profile, see web services Federation Languages (docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html).

Passive Requestor profile

This profile permits a user's browser (the passive requestor) to request a security token from an IdP when the user requests access to a protected web service or other resource at an SP.

WS-Federation SSO

Processing steps:

  1. A user requests access to a protected SP resource. The user is not logged on to the site. The request is redirected to the federation server to handle authentication.
  2. The SP generates a security token request and redirects the browser to the identity provider's WS-Federation implementation.
  3. If the user is not already logged on to the IdP site or if re-authentication is required, the IdP asks for credentials (for example, ID and password) and the user logs on.
  4. Additional information about the user may be retrieved from the user datastore for inclusion in the SAML response. These attributes are predetermined as part of the federation agreement between the IdP and the SP (see User attributes).
  5. The federation server creates a response containing a signed SAML assertion (or a JSON Web Token) and returns it to the SP via POST.
  6. (Not shown) If the signature and the assertion (or the JSON Web Token) are valid, the SP establishes a session for the user and redirects the browser to the target resource.

Single logout using WS-Federation is handled in much the same way as with SAML (see Single logout); however, HTTP GET/POST is always used as the transport mechanism.