Detailed technical requirements for the WS-Federation interface

Basic technical requirements

]This section describes the basic, technical requirements of the WS-Federation interface. It is limited to the points that are different from or additional to the integration of a SAML 2.0-capable application.

Required parameters wsignin Request


Name       MUST/CANContextPossible values
wa MUST Requested action on interface wsignin1.0
wtrealm MUST Realm to identify the calling Relying Party (application) URI (URL or URN)
wctx CAN Optional context information e.g. about the URL to which the client should be redirected after authentication. This value is returned unchanged by the eIAM-Web PEP to the Relying Party with the response.
Should not be a URL for security reasons (e.g. XSS), but an opaque value that only the Relying Party knows.

Session setup in eIAM with WS-Federation


Web applications that federate using the WS-Federation protocol submit a request for a security token to the eIAM-Web PEP using a wsignin request. The eIAM-Web PEP can issue security tokens in the formats SAML 1.1 and SAML 2.0 on its WS-Federation interfaces.

The authentication of an accessing user runs according to the following figure.

Session setup eIAM and application with federation
Session setup eIAM and application with federation


Request for a SAML 1.1 Security Token
The eIAM-Web PEP accepts the wsignin requests under
/auth/wsfed/ipsts11?wa=wsignin1.0 and issues SAML 1.1 assertions.

https://<FQDN of PEP>/auth/wsfed/ipsts11

Example
https://www.gate.amt.admin.ch/auth/wsfed/ipsts11

Request for a SAML 2.0 Security Token
The eIAM-Web PEP accepts the wsignin requests under
/auth/wsfed/ipsts?wa=wsignin1.0 and issues SAML 2.0 assertions.

https://<FQDN of PEP>/auth/wsfed/ipsts

Example
https://www.gate.amt.admin.ch/auth/wsfed/ipsts

Session termination in eIAM with WS-Federation

The WS-Federation interface of eIAM only supports single sign-on using the WS-Federation protocol. Single sign-out using WS-Federation protocol is not unsupported.

The termination of a running session in the web application integrated with eIAM is done by calling the application's own logout URL through the eIAM web PEP.

  • Once the user calls the logout function in any application of the SSO federation.
  • The maximum session lifetime on the eIAM-Web PEP is reached.
  • The maximum session inactivity time is reached on the eIAM-Web PEP.