WS-Federation Connector for OutSystems 11

OutSystems Extension Component — Seamless WS-Federation SSO integration for OutSystems 11 applications.

---

Overview

The WS-Federation Connector is an OutSystems Extension Component that provides a straightforward way to integrate authentication using the WS-Federation protocol into OutSystems 11 applications.

It simplifies the integration of identity providers (IdPs) that use WS-Federation — handling federation metadata parsing, SSO redirect URL generation, SAML 1.1 token validation, and claims extraction — so developers can implement standards-based Single Sign-On without writing custom protocol-level code.

---

Features

• Automatic IdP Configuration — Reads a Federation Metadata URL and automatically extracts the Issuer, SSO endpoint, and IdP certificate.
• SSO Redirect URL Generation — Builds a complete WS-Federation sign-in URL to redirect users to the identity provider.
• SAML 1.1 Token Validation — Validates the token returned by the IdP, verifying the issuer, audience, and certificate signature.
• Claims Extraction — Deserializes identity claims from the SAML assertion into structured OutSystems records.
• HTTP POST Body Reading — Reads the raw WS-Federation response posted back to the application callback.
• URL Decode Utility — Decodes URL-encoded WS-Federation responses.

---

Architecture

This extension is built in C# and integrates with the OutSystems Extension API. It exposes the following server actions:

Action	Description
GetIdpConfigurationFromMetadata	Fetches and parses IdP metadata XML to extract Issuer, SSO URL, and certificate.
GetFederationSignInUrl	Builds the full WS-Federation sign-in redirect URL for the given IdP, realm, and reply URL.
ValidateAndExtractClaims	Validates the SAML 1.1 token from the IdP response and returns claims as JSON.
DeserializeClaimsToKeyValueList	Converts the claims JSON into an OutSystems-friendly key-value list structure.
GetHttpPostBody	Reads the raw HTTP POST body from the incoming WS-Federation callback request.
UrlDecode	URL-decodes the raw WS-Federation response string.
Ping	Health check action. Returns "Pong".

---

Prerequisites

• OutSystems 11 (O11) environment
• Access to an identity provider that supports WS-Federation (e.g., Active Directory Federation Services — ADFS, Azure AD with WS-Fed endpoints)
• OutSystems Integration Studio (for extension development or customization)

---

Installation

Download the component from the OutSystems Forge and publish it to your OutSystems 11 environment:

Download from OutSystems Forge →

1. Download the .oap file from the Forge link above.
2. Open Service Center in your OutSystems environment.
3. Go to Factory → Solutions and upload the .oap file.
4. Publish the solution.
5. Reference the extension in your OutSystems application module.

---

Usage

1. Load IdP Configuration from Metadata

Use GetIdpConfigurationFromMetadata to automatically configure your integration by pointing it to your IdP's Federation Metadata URL:

MetadataUrl → https://your-idp.example.com/FederationMetadata/2007-06/FederationMetadata.xml

Output:
  Issuer           → https://your-idp.example.com/adfs/services/trust
  SingleSignOnUrl  → https://your-idp.example.com/adfs/ls/
  CertificateBase64 → MIICxDCCAaygAwIBAgI...
  IsSuccess        → True

2. Generate the Sign-In Redirect URL

Use GetFederationSignInUrl to build the redirect URL and send the user to the IdP:

IdpUrl   → https://your-idp.example.com/adfs/ls/
Realm    → https://your-outsystems-app.example.com/
ReplyUrl → https://your-outsystems-app.example.com/WsFedCallback

Output:
  SignInUrl → https://your-idp.example.com/adfs/ls/?wa=wsignin1.0&wtrealm=...

Redirect the user's browser to this URL.

3. Handle the Callback and Validate the Token

On your callback endpoint, use GetHttpPostBody to read the raw POST, then pass it to ValidateAndExtractClaims:

WsFederationResponse → (raw POST body from IdP)
Issuer               → https://your-idp.example.com/adfs/services/trust
Audience             → https://your-outsystems-app.example.com/
IdpCertificate       → MIICxDCCAaygAwIBAgI...

Output:
  IsAuthenticated → True
  ClaimsJson      → {"email": ["[email protected]"], "name": ["John Doe"], ...}

4. Parse Claims into OutSystems Records

Use DeserializeClaimsToKeyValueList to convert the JSON claims into a typed OutSystems record list for easy consumption in your application logic.

---

Project Structure

OS11_WsFederation/
├── WsFederationConnector.cs       # Core extension logic (all server actions)
├── Interface.cs                   # OutSystems-generated extension interface
├── Entities.cs                    # Entity definitions
├── Structures.cs                  # Structure definitions
├── Records.cs                     # Record type definitions
├── RecordLists.cs                 # Record list definitions
├── AssemblyInfo.cs                # Assembly metadata
├── WsFederationConnector.csproj   # C# project file
└── WsFederationConnector.sln      # Visual Studio solution file

---

Dependencies

• Microsoft.IdentityModel.Tokens.Saml11 — SAML 1.1 token handling
• Newtonsoft.Json — JSON serialization for claims
• System.IdentityModel.Services — WS-Federation message building
• OutSystems.HubEdition.RuntimePlatform — OutSystems runtime integration

---

Contributing

Contributions are welcome! If you'd like to improve this component:

1. Fork the repository.
2. Create a feature branch (git checkout -b feature/my-improvement).
3. Commit your changes (git commit -m 'Add my improvement').
4. Push to your branch (git push origin feature/my-improvement).
5. Open a Pull Request.

For significant changes, please open an Issue first to discuss what you'd like to change.

---

License

This project is licensed under the BSD 3-Clause License. See LICENSE for details.

---

Author

Developed and maintained by Edson Marques.

Also available on the OutSystems Forge.