Sun OpenSSO Enterprise 8.0 Developer's Guide

Chapter 7 Implementing WS-Federation

At one time, federation was implemented using the Liberty Alliance Project Identity Federation Framework (Liberty ID-FF). But federation standards now include SAML v1.x and SAML v2 as well as WS-Federation. Although the protocol are interoperable using OpenSSO Enterprise, they are not related. This chapter contains the following sections on WS-Federation.

Accessing the WS-Federation Java Server Pages

The WS-Federation Service uses JavaServer PagesTM (JSPTM) to complete its functionality. After a default installation, the JSP are located in /path-to-context-root/opensso/wsfederation/jsp. They include:


Page is displayed after a successful logout. 


The HTML form used to send the WS-Federation single sign-on responses from the identity provider to the service provider. 


Page is displayed if no realm is defined. 

Using the WS-Federation Packages

The following packages relate to the WS-Federation functionality in OpenSSO Enterprise. For more detailed information, see the Sun OpenSSO Enterprise 8.0 Java API Reference.


This package defines the WS-Federation service provider interfaces (SPI). is an implementation of this SPI.

Table 7–1 com.sun.identity.wsfederation.plugins Interfaces




IDPAccountMapper is used on the identity provider (SAML v2 provider) side to map the local identities to the SAML v2 protocol objects. It accomplishes the reverse for some of the protocols (for example, ManageNameIDRequest). The default implementation, com.sun.identity.wsfederation.plugins.DefaultIDPAccountMapper, is used by the SAML v2 framework to retrieve the user's account federation information to construct the SAML protocol objects (for example, an Assertion) and to find out the corresponding user account for the given SAML v2 requests.


IDPAttributeMapper is used to map an authenticated user's attributes to SAML v2 attributes. The SAML v2 framework may then insert the attribute information as an AttributeStatement in a SAML v2 assertion. The default implementation, com.sun.identity.wsfederation.plugins.DefaultIDPAttributeMapper, reads the configured attributes or attributes that are available through the SSOToken and returns the SAML v2 attributes.


IDPAuthenticationMethodMapper creates an IDPAuthenticationTypeInfo element based on the RequestAuthnContext information from the AuthnRequest sent by a service provider and the AuthnContext configuration om the identity provider side. The default implementation, com.sun.identity.wsfederation.plugins.DefaultIDPAuthenticationMethodMapper, will be used by the identity provider to find out the authentication mechanism and set the AuthnContext in the assertion.


com.sun.identity.saml.plugins.PartnerAccountMapper is an interface that is implemented to map a partner account to a user account in OpenSSO Enterprise. Different partners would need to have different implementations of the interface. The mappings between the partner source ID and the implementation class are configured in the Partner URLs field of the SAML service. com.sun.identity.wsfederation.plugins.DefaultADFSPartnerAccountMapper is the default implementation.


SPAttributeMapper maps SAML v2 attributes to local user attributes. This mapper will be used by the service provider to read the configured map for the corresponding SAML v2 attributes and supply them to the SAML framework. The locally mapped attributes returned by the implementation of this interface will be inserted into the SSOToken by the SAML v2 framework. com.sun.identity.wsfederation.plugins.DefaultSPAttributeMapper is the default implementation.


This package contains utility methods and constants for WS-Federation implementations.

Executing the Multi-Protocol Hub Sample

OpenSSO Enterprise includes WS-Federation functionality in the multi-protocol hub sample. The sample is located in /path-to-context-root/opensso/samples/multiprotocol. Open index.html for more information.