This documentation is for WSO2 Identity Server 5.7.0 . View documentation for the latest release.

All docs This doc

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Expand the WS-Federation (Passive) Configuration form.
  2. Fill in the following fields where relevant.

    FieldDescriptionSample value
    Enable Passive STSSelecting this option enables Passive STS to be used as an authenticator for users provisioned to the Identity Server.Selected
    DefaultSelecting the Default checkbox signifies that Passive STS is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
    Passive STS RealmThis is used as an identifier for the realm and can be any value.WSFederationHealthCare
    Passive STS URL

    When sending the authentication request, there is a request for a security token generated by WS-Trust.


    As long as the federated IdP is the WSO2 Identity Server, this URL must follow this format: https://(host-name):(port)/acs 

    Passive STS User ID LocationSelect whether the User ID is found in 'Name Identifier' as part of the authentication request or if it is found among the claims. This specifies how the user is identified.User ID found in 'Name Identifier'
    Additional Query ParametersThis is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by this IS or application so these can be specified here.paramName1=value1
titleConfiguring hostname verification

In previous releases, Passive STS Single-Logout (SLO) requests for service providers were initiated without hostname verification which can impose a security risk. From IS 5.2.0 release onwards, certificate validation has been enforced and hostname verification is enabled by default. If you want to disable the hostname verification, configure the following property in the <IS_HOME>/repository/conf/identity/identity.xml file under the Server\SSOService tag. 

Code Block

Note: If the certificate is self-signed, import the service provider's public key to the IS client trust store to ensure that the SSL handshake in the SLO request is successful. For more information on how to do this, see Managing Keystores with the UI in the WSO2 Product Administration Guide.

  • Identity Federation is part of the process of configuring an identity provider. For more information on how to configure an identity provider, see Configuring an Identity Provider.