> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how to configure a WS-Fed application to use Auth0 as an identity provider.

# Configure WS-Fed Applications

You can configure a <Tooltip tip="Web Service Federation (WS-Fed): Protocol for managing user identities across domains." cta="View Glossary" href="/docs/glossary?term=WS-Fed">WS-Fed</Tooltip> application (service provider) to use Auth0 as an <Tooltip tip="Web Service Federation (WS-Fed): Protocol for managing user identities across domains." cta="View Glossary" href="/docs/glossary?term=identity+provider">identity provider</Tooltip>. Some commonly used WS-Fed applications are pre-configured in Auth0 and available via [Single Sign-On Integrations](/docs/customize/integrations/sso-integrations). If a WS-Fed application is not listed in <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=Single+Sign-On">Single Sign-On</Tooltip> Integrations, the WS-Fed application configuration can be accessed using the following steps.

1. Go to **Dashboard >** **Applications > Applications**.
2. Click **Create App**.
3. Enter a name, and click **Save**.
4. Go to the **Addons** tab.

   <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
     Enabling both SAML and WS-Fed addons for a single client is not supported and may lead to inconsistent behavior. Use a separate client for each addon.
   </Callout>
5. Scroll to **WS-Fed Web App**, and enter the **Application Callback URL**. This is your callback URL in the WS-Fed application to which the WS-Fed response will be posted. It may also be called the **ACS** or **Assertion Consumer Service URL** in some applications.
6. Enter the **Realm**. This is an identifier sent by the WS-Fed application and is used to identify the application in the response.

## Configure claims included in the WS-Fed token response

Unlike the <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> Web App addon, the WS-Fed Web App addon does not include configuration settings that allow you to configure the token generated by Auth0. If you need to change the default settings, you can create a post-login Action similar to:

```javascript lines expandable theme={null}
exports.onExecutePostLogin = async (event, api) => {

  // only apply changes for the WS-Fed application
  if (event.client.name !== 'Your ws-fed application name') {
    return;
  }

  // exclude the upn claim creation (defaults to true)
  api.samlResponse.setCreateUpnClaim(false);

  // exclude the identities array (defaults to true)
  api.samlResponse.setMapIdentities(false);

  // exclude claims that were not explicitly mapped (defaults to true)
  api.samlResponse.setPassthroughClaimsWithNoMapping(false);

  // this is the default mapping. Remove or change as you like.
  api.samlResponse.setAttribute('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier', event.user.user_id);
  api.samlResponse.setAttribute('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', event.user.email || null);
  api.samlResponse.setAttribute('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', event.user.name || null);
  api.samlResponse.setAttribute('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname', event.user.given_name || null);
  api.samlResponse.setAttribute('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname', event.user.family_name || null);
};
```

## Custom domains

To use your WS-Fed apps with a <Tooltip tip="Custom Domain: Third-party domain with a specialized, or vanity, name." cta="View Glossary" href="/docs/glossary?term=custom+domain">custom domain</Tooltip> and with Auth0 as the IdP, update your service provider with new identity provider metadata from Auth0. You can obtain the metadata from:

`https://<YOUR CUSTOM DOMAIN>/wsfed/FederationMetadata/2007-06/FederationMetadata.xml`.

## Encrypted responses

If you require encrypted responses, you should use SAML to connect to ADFS. To learn more, read [Configure ADFS as SAML Identity Provider](/docs/authenticate/protocols/saml/saml-sso-integrations/configure-auth0-saml-service-provider/configure-adfs-saml-connections) and [Sign and Encrypt SAML Requests](/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests).

## Learn more

* [Custom Domains](/docs/customize/custom-domains)
* [Auth0 Integrations](/docs/customize/integrations)