Module ws_federation 

WS-Federation Passive Requestor Profile

Implements the WS-Federation 1.2 passive requestor profile for browser-based SSO. WS-Federation is commonly used with Active Directory Federation Services (ADFS) and Azure AD in legacy enterprise environments.

Protocol Flow (Passive Requestor)

1. Application redirects the user to the STS sign-in URL with wa=wsignin1.0
2. STS authenticates the user and posts a security token (SAML assertion) back to the application’s reply URL (wtrealm)
3. Application validates the security token and establishes a session
4. Logout: redirect to STS with wa=wsignout1.0

Security Considerations

• Federation metadata should be fetched over HTTPS and cached
• Security tokens (SAML assertions) must be validated against the STS signing certificate
• Replay protection via wctx state parameter

Modules

action

WS-Federation action values.

ns

WS-Federation XML namespace URIs.

Structs

ClaimTypeOffered

Claim type advertised in federation metadata.

FederationMetadata

Federation metadata for an STS.

WsFedSecurityToken

Validated security token extracted from a WS-Federation response.

WsFedSignInResponse

Parsed WS-Federation sign-in response.

WsFederationClient

WS-Federation Relying Party client.

WsFederationConfig

WS-Federation Relying Party (RP) configuration.

Enums

WsFedTokenType

Security token type.