WS-Federation single sign-on profiles

The single sign-on profiles enable a client using a Web browser to achieve single sign-on access to resources within a WS-Federation 1.0 federation.

Typically the user wants to access a resource provided by a service provider, and must authenticate with an identity provider in order to be granted that access.

The profile provides a mechanism for the Web user to obtain an authentication assertion that can be used to establish a security context within the federation. Establishment of the security context enables a user to access multiple resources within the federation without having to authenticate more than once.

WS-Federation support two profiles for use with single sign-on sessions:

Browser POST

Browser POST uses a self-posting form during the establishment and use of a trusted session between an identity provider, a service provider, and a client (browser).

WS-Federation supports browser POST by default. No configuration is required.

Single logout

This profile terminates all log in sessions within the federation for a specified user. WS-Federation supports single logout by default. No configuration is required.