WSO2 Identity Server's passive security token service (Passive STS) is used as the WS-Federation implementation. The Passive STS is capable of issuing SAML 1.1 and 2.0 security tokens.
To request a SAML 2.0 security token, the Request Security Token (RST) should be sent to the passive STS endpoint with the TokenType 'SAMLV2.0' when sending the token request. If there is no RST specified, the WSO2 Identity Server will issue a SAML 1.1 token by default.
Configuring passive STS
- See here for details on adding a service provider.
Expand the Inbound Authentication Configuration followed by the WS-Federation (Passive) Configuration section and provide the following values. See Configuring WS-Federation (Passive) for more information.
- Passive STS Realm - This should be an unique identifier for the web app. Provide the same realm name given to the web app you are configuring WS-Federation for.
Passive STS WReply URL - Provide the URL of the web app you are configuring WS-Federation for. This endpoint URL will handle the token response.
If you want to configure an expiration time for the security token, you need to add the following configuration in the
<IS_HOME>/repository/conf/carbon.xmlfile, under the
Here, the expiration time should be specified in milliseconds.
- Expand the Claim Configuration section and map the relevant claims. See Configuring Claims for a Service Provider for more information.
- Click Update to save changes.
Currently the signing algorithm used for passive STS by default is
rsa-sha1 and the digest algorithm used is
sha1. To change the default algorithms, add the following configuration under the
<security> tag in the
carbon.xml file found in the
<IS_HOME>/repository/conf directory. The example given below sets the signing algorithm to
rsa-sha256 and the digest algorithm to
To configure this, apply the 4678 WUM update to WSO2 IS 5.6.0 using the WSO2 Update Manager (WUM). To deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM in the WSO2 Administration Guide.