> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how to configure a WS-Fed application to use Auth0 as an identity provider.

# Configure WS-Fed Applications

You can configure a <Tooltip tip="Web Service Federation (WS-Fed): Protocol for managing user identities across domains." cta="View Glossary" href="/docs/glossary?term=WS-Fed">WS-Fed</Tooltip> application (service provider) to use Auth0 as an <Tooltip tip="Web Service Federation (WS-Fed): Protocol for managing user identities across domains." cta="View Glossary" href="/docs/glossary?term=identity+provider">identity provider</Tooltip>. Some commonly used WS-Fed applications are pre-configured in Auth0 and available via [Single Sign-On Integrations](/docs/customize/integrations/sso-integrations). If a WS-Fed application is not listed in <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=Single+Sign-On">Single Sign-On</Tooltip> Integrations, the WS-Fed application configuration can be accessed using the following steps.

1. Go to **Dashboard >** **Applications > Applications**.
2. Click **Create App**.
3. Enter a name, and click **Save**.
4. Go to the **Addons** tab.

   <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
     Enabling both SAML and WS-Fed addons for a single client is not supported and may lead to inconsistent behavior. Use a separate client for each addon.
   </Callout>
5. Scroll to **WS-Fed Web App**, and enter the **Application Callback URL**. This is your callback URL in the WS-Fed application to which the WS-Fed response will be posted. It may also be called the **ACS** or **Assertion Consumer Service URL** in some applications.
6. Enter the **Realm**. This is an identifier sent by the WS-Fed application and is used to identify the application in the response.

## Configure claims included in the WS-Fed token response

Unlike the <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> Web App addon, the WS-Fed Web App addon does not include configuration settings that allow you to configure the token generated by Auth0. If you need to change the default settings, you can create a rule similar to:

```javascript lines expandable
function (user, context, callback) {

  // only apply changes for the WS-Fed application
  if (context.clientName !== 'Your ws-fed application name') {
    return callback(null, user, context);
  }

  // exclude the upn claim creation (defaults to true)
  context.samlConfiguration.createUpnClaim = false;

  // exclude the identities array (defaults to true)
  context.samlConfiguration.mapIdentities = false;

  // exclude claims that were not explicitly mapped (defaults to true)
  context.samlConfiguration.passthroughClaimsWithNoMapping = false;

  // this is the default mapping. Remove or change as you like.
  // Note that the key (left side) is the attribute name (namespace-qualified)
  // and the value (right side) is the property name from the user object.
  // you can also use transient values from the user object. For example, for:
  //    user.calculated_field = <some expression>;
  // then add this mapping:
  //    'some_claim': 'calculated_field', 
  context.samlConfiguration.mappings = {
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier': 'user_id',
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'email',
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'name',
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname': 'given_name',
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname': 'family_name',
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn': 'upn',
    'http://schemas.xmlsoap.org/claims/Group': 'groups'
  };

  callback(null, user, context);
}
```

## Custom domains

To use your WS-Fed apps with a <Tooltip tip="Custom Domain: Third-party domain with a specialized, or vanity, name." cta="View Glossary" href="/docs/glossary?term=custom+domain">custom domain</Tooltip> and with Auth0 as the IdP, update your service provider with new identity provider metadata from Auth0. You can obtain the metadata from:

`https://<YOUR CUSTOM DOMAIN>/wsfed/FederationMetadata/2007-06/FederationMetadata.xml`.

## Encrypted responses

If you require encrypted responses, you should use SAML to connect to ADFS. To learn more, read [Configure ADFS as SAML Identity Provider](/docs/authenticate/protocols/saml/saml-sso-integrations/configure-auth0-saml-service-provider/configure-adfs-saml-connections) and [Sign and Encrypt SAML Requests](/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests).

## Learn more

* [Custom Domains](/docs/customize/custom-domains)
* [Auth0 Integrations](/docs/customize/integrations)
