Browser single sign-on (SSO) relies on a user's web browser and HTTP requests to broker identity-federation messaging in XML or JSON web tokens (JWT) between an identity provider (IdP) and a service provider (SP). In contrast, WS-Trust security token service (STS) messaging is typically application-driven across the back channel and does not require browser mediation.


Many steps involved in setting up a federation connection are protocol-independent; that is, they are required steps for all connections, regardless of the associated standards. For more information, see Federation roles. Also, for any given connection, some configuration steps are required under the applicable protocol, while others are optional. Still others are required only based on certain selections. The administrative console determines the required and optional steps based on the protocol and dynamically presents additional requirements or options based on selections.

The following sections provide sequential information about every step you might encounter while configuring browser-based SSO, regardless of the protocol you are using for a particular connection.

SAML 2.0 configuration steps

SAML 1.x configuration steps

WS-Federation configuration steps

OpenID Connect configuration steps

After configuring SSO settings, you will need to configure authentication credentials, the range of which depends on your SSO selections. For more information, see Configuring security credentials. Also, other configuration tasks might remain to be configured for new or modified connections, depending on the selected options on the Connection Options tab.