WS-Fed app integrations

Web Services Federation (WS-Fed) is an XML-based protocol used for Single Sign-On (SSO). Typically, WS-Fed is used to sign on to legacy Windows-based web apps and Microsoft Office 365, where Okta acts as an authorization server or identity provider (IdP).

When added to an org and assigned to an end user by an admin, the WS-Fed app integration appears as a new tile on the End-User Dashboard.

Okta as the identity provider

Okta supports integrating with WS-Fed apps as an IdP that provides SSO to external apps.

When users request access to an external app registered with Okta, they're redirected to Okta. As the IdP, Okta then delivers an assertion to the browser. The browser uses that assertion to authenticate the user to the app.

Okta as a WS-Fed Identity Provider.

  1. Using WS-Fed, the user attempts to access client apps that are protected by Okta.
  2. Client apps act as WS-Fed service providers (SP) and delegate the user authentication to Okta. The client apps send an assertion to Okta to establish the user session.
  3. Okta acts as the WS-Fed IdP and uses SSO and Multifactor Authentication (MFA) to authenticate the user.
  4. Okta returns an assertion to the client apps through the end user's browser.
  5. The client apps validate the returned assertion and allow the user access to the client app.

Users, client apps, and external IdPs can all be on your intranet and behind a firewall, as long as the end user can reach Okta through the internet.

Related topics

Configure WS-Federation for Office 365

Microsoft Office 365 - Okta Integration Network