In general I think the API design of the WS-Federation support in WIF / .NET 4.5 is a bit unfortunate.
It was a strange decision to combine the HTTP module (aka the FAM) and the more generic protocol helpers into a single class. And the fact the system.identityModel configuration sections are not declared by default, makes the FAM hard to use as a “standalone” library (for the search engines: “ID7027: Could not load the identity configuration because no <system.identityModel> configuration section was found.”). Microsoft?! Please fix this.
That all in combination makes it non-obvious how to “manually” process WS-Federation messages and since the question came up recently – here’s how to do it with ASP.NET Web API:
To create the WS-Federation request you can use this code:
public HttpResponseMessage Get()
var signInRequest = new SignInRequestMessage(
new Uri(“https://idsrv.local/issue/wsfed “),
var response = Request.CreateResponse(
The interesting bit is processing the response. As long as you can turn the post data into a NameValueCollection, it’s quite easy:
public HttpResponseMessage Post(HttpRequestMessage request)
var form = request.Content.ReadAsFormDataAsync().Result;
var signInResponse = WSFederationMessage.CreateFromNameValueCollection(
form) as SignInResponseMessage;
var fam = new WSFederationAuthenticationModule();
// set all the necessary configuration
// don't forget to declare the system.identityModel config sections
fam.FederationConfiguration = new FederationConfiguration();
var token = fam.GetSecurityToken(signInResponse);
// validate token etc.