<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Understanding the Differences Between WS-FED and SAML for Okta
Sep 4, 2025
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

This article explains the differences between the two authentication protocols, WS-Fed and SAML, that are commonly used for Single Sign-On (SSO) in Okta. It will provide an overview of how SSO works with these two protocols and compare the authentication steps in SAML and WS-Fed.

Applies To
  • Web Services Federation (WS-Fed)
  • Secure Assertion Markup Language (SAML)
  • Single Sign-On (SSO)
Solution

SSO with SAML or WS-Fed works in a similar way, with the details of what is sent and received varying between the two protocols.

Here is a brief comparison of the two:

 

SAML (Secure Assertion Markup Language)

  • The web application sends a SAML request to the Identity Provider (IdP).

  • After verifying the user's identity, the IdP returns a SAML response. Inside that SAML response is a SAML assertion.

  • It is possible to specify signing the SAML assertion, the SAML response, or both.

 

WS-Fed (Web Services Federation)

  • The web application sends query parameters in a Request Security Token (RST) as the request to the Identity Provider (IdP).

  • After verifying the user's identity, the identity provider returns a Request Security Token Response (RSTR). Inside that RSTR is a SAML assertion.

  • RSTRs are always signed.

 

Authentication Steps in SAML vs WS-Fed

SAML authentication steps:

  1. A user visits the login page of a web application.

  2. The web application generates a SAML request and redirects the user to the SSO URL.

  3. The Identity Provider (IdP) parses the SAML request, verifies the user's identity in Active Directory or other user stores, and verifies the user's identity.

  4. The IdP generates a SAML assertion in a SAML response and sends it all back to the web application.

  5. The web application receives the SAML response and logs the user in to the application.

 

WS-Fed authentication steps:

  1. A user visits the login page of a web application.

  2. The web application generates a Request Security Token (RST) and redirects the user to the SSO URL.

  3. The identity provider parses the RST request, verifies the user's identity in Active Directory or other user stores, and verifies the user's identity.

  4. The identity provider generates a SAML assertion inside a Request Security Token Response (RSTR) and sends it all back to the web application.

  5. The web application receives the RSTR response and logs the user in to the application.

Recommended content

Still looking for help?
Loading
Understanding the Differences Between WS-FED and SAML for Okta