To create a connector for single sign-on with WS-Federation, you can use the WS-Fed option in the Access Connector Toolkit.
To create a custom WS-Federation connector for a destination application, ensure that the service provider meets the following protocol-specific requirements:
Supports identity federation using the WS-Federation protocol.
For more information about WS-Federation, see the OASIS website or see the MSDN Library article.
Supports the WS-Federation Passive Requestor Profile.
Provides a capability in the application’s administration console that allows the customer to enable and configure WS-Federation SSO
Provides technical documents that describe the application’s WS-Federation federation requirements, metadata, and security tokens.
Before you attempt to create a WS-Federation connector, you must collect information about the destination web service or application. For more information, see Section 3.3, Federation Requirements for the Application Service Provider.
Ask the web service or application vendors the following types of questions to gather the require information:
What does your WS-Federation security token look like?
Do you have a WS-Federation metadata document? What fields, if any, are customer-specific?
What are the required configuration steps in your application to set up federation?
What is the information that you provide to customers when they are setting up federation with their identity source?
NOTE:You can use a worksheet to organize the information. See Worksheet for SAML or WS-Federation Custom Connectors
.
A WS-Federation connector template consists of multiple components for federation, metadata, and assertion information.
Log in as an administrator to the Access Connector Toolkit.
Click New > WSFed.
The connector Type is WS-Fed. The Type Name is Generic WS-Fed Connector.
On the Template tab, complete the following information:
Template properties
Whether the service provider requires a signing certificate
Federation instructions for the service provider
New settings that need to be collected on the Configuration page of the connector
Click the Metadata tab, then use one of the following methods to specify the metadata:
Select Request, the specify the source URL to retrieve the metadata.
Complete the fields to manually generate the metadata.
Import the values from a file or URL, and modify them for your deployment environment.
Click the Assertion tab, then define the properties and attributes required for the security token.
On the Properties subtab, specify the properties for the assertion.
On the Attributes subtab, click Predefined, click the identity attribute, modify the definition if needed, then click Save.
If a predefined option does not exist, use New to define it.
(Conditional) If the service provider requires other identity attributes for an assertion, repeat Step 5.b to map the WS-Federation attribute to an attribute in your identity source.
(Optional) Create the provisioning definitions. For more information, see Section 3.2.3, Provisioning Support.
Click Save to save the new connector template.
Proceed to Section 3.9, Exporting a Connector Template to finish creating the new connector.