The Telerik Platform product is retired.Learn more

Integrating Passive Federation

Integrating Passive Federation

Passive federation relies on the device's web browser to do most of the communication between the device and AD FS. That said, you still need to know what URL to request and how to acquire the SAML token from the Security Token Service's (STS) reply. The security benefit of passive federation is that the user never provides their AD credentials to your app.

The detailed passive federation workflow is presented in Introduction to Active Directory Federation Services Integration.


You need to make certain settings before you can successfully log in your app users through AD FS.

Getting AD FS Metadata

You can use the getAdfsMetadata() method to read the app's AD FS metadata from the server. The AdfsMetadata class contains MetadataUrl and Realm members that correspond to the settings that you configured for your app on the backend.

public RequestResult<AdfsMetadata> getAdfsMetadata()
    return this.everliveApp.workWith().authentication().getAdfsMetadata().executeSync();

Preparing the Request URL

After you have obtained the AD FS metadata, you are ready to open the device's web browser and point it to the appropriate URL.

The URL must be in the following format:

https:// + AD FS FQDN + /adfs/ls/ + ?wa=wsignin1.0&wreply= + MetadataUrl + /adfs/token + &wtrealm + Realm


  • AD FS FQDN is the fully qualified domain name of your AD FS.
  • MetadataUrl and Realm are contained in the AdfsMetadata class returned by getAdfsMetadata.

For example:

Extracting the SAML Access Token

After the browser contacts the AD FS STS and performs authentication, the STS redirects the browser to the Reply URL and posts the SAML token to it. The server logic behind the Reply URL encodes the SAML response in base64 format and redirects the user device browser to localhost appended with the access_token HTML parameter containing the SAML token. You need to parse the resulting URL to extract the SAML token from it.

The URL has the following format:


Where saml-access-token is the base64-encoded SAML access token.

Registering or Authenticating the User

After you obtain an SAML token from the AD FS STS, you can use the LoginWithAdfs() method overload that accepts a Base64-encoded token.

On first invocation, LoginWithAdfs registers the user. Consequent invocations for the same user authenticate the user.

On success, the method returns an object containing a Telerik Platform access token (not to be mistaken with the AD FS SAML security token) that can be used with further Backend Services JavaScript SDK operations. In that, the loginWithAdfs() method behaves similarly to the login() method.

public void loginUser(EverliveApp app, String token) {

See Also

External resources:

Contact us: +1-888-365-2779
Copyright © 2016-2018, Progress Software Corporation and/or its subsidiaries or affiliates. All rights reserved.