add ws-federation docs

Author: shashimalcse

en/asgardeo/docs/assets/img/guides/applications/create-new-ws-federation-app.png

@@ -0,0 +1,137 @@
+# Sample WS-Federation web app
+
+By following this guide, you will be able to deploy a WS-Federation-based web application and enable login for it using the Passive Security Token Service (Passive STS) of {{product_name}}.
+
+!!! info
+    {{product_name}} uses its passive security token service (Passive STS) as its WS-Federation implementation.
+    Passive STS is capable of issuing SAML 1.1 and 2.0 security tokens. To request a SAML 2.0 security token, the Request Security Token (RST) should be sent to the passive STS endpoint with the token type, `SAMLV2.0`. If no RST is specified, {{product_name}} issued a SAML 1.1 token by default.
+---
+
+### Prerequisites
+
+- Download [Apache Tomcat 8.x](https://tomcat.apache.org/download-80.cgi){:target="_blank"} and install it. Tomcat server installation location will later be referred to as `<TOMCAT_HOME>` in this guide.
+
+- It is recommended that you use a hostname that is not `localhost` to avoid browser errors. Modify your machine's `/etc/hosts` entry to reflect this.
+
+- Download the [Passive STS Sample application](https://github.com/wso2/samples-is/releases/download/v4.6.2/PassiveSTSSampleApp.war){:target="_blank"} from the latest release assets.
+
+### Deploy the sample app
+
+To deploy the sample web app on a web container:
+
+1. Copy the application's downloaded `.war` file into the `webapps` directory of the Tomcat folder.
+
+2. Start the Tomcat server.
+
+### Configure sample properties
+
+To configure additional properties for the sample application:
+
+1. Add the following configurations to the `web.xml` file in `<TOMCAT_HOME>/apache-tomcat-<version>/webapps/PassiveSTSSampleApp/WEB-INF`.
+    - Specify `idpUrl` as the Identity Server's Passive STS URL.
+        ``` xml
+        <init-param>
+                <param-name>idpUrl</param-name>
+                <param-value>https://api.asgardeo.io/t/<organization_name>/passivests</param-value>
+        </init-param> 
+        ```
+
+    - Specify the `replyURL` as the URL of the web app.
+        ``` xml
+        <init-param>
+                <param-name>replyUrl</param-name>
+                <param-value>http://localhost:8080/PassiveSTSSampleApp/index.jsp</param-value>
+        </init-param>
+        ```
+
+    - Specify the ` realm ` as a unique identifier for the web app.
+        ``` xml
+        <init-param>
+                <param-name>realm</param-name>
+                <param-value>PassiveSTSSampleApp</param-value>
+        </init-param> 
+        ```
+
+2. Restart the tomcat server.
+
+## Configure the service provider
+
+1. On the WSO2 Identity Server Console, go to **Applications**.
+
+2. Click **New Application** and select **Standard-Based Application**.
+
+3. Enter the following details:
+
+    ![Create a new Passice STS app]({{base_path}}/assets/img/guides/applications/create-new-ws-federation-app.png){: width="700" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}
+
+    <table>
+        <tr>
+            <td>Name</td>
+            <td>
+                Give a unique name to identify your application.
+                <p>e.g.:<code>PassiveSTSSampleApp</code></p>
+            </td>
+        </tr>
+        <tr>
+            <td>Protocol</td>
+            <td>Select <b>WS-Federation</b>.</td>
+        </tr>
+        <tr>
+            <td>Realm</td>
+            <td>
+                This should be a unique identifier for the web app. Provide the same realm name given to the web app you are configuring WS-Federation for.
+                <p>e.g.:<code>PassiveSTSSampleApp</code></p>
+            </td>
+        </tr>
+        <tr>
+            <td>Reply URL</td>
+            <td>
+                Provide the URL of the web app you are configuring WS-Federation for. This endpoint URL will handle the token response.
+                <p><code>http://localhost:8080/PassiveSTSSampleApp/index.jsp</code></p>
+            </td>
+        </tr>
+    </table>
+
+4. Click **Register** to complete the registration.
+
+5. Go to the **Protocol** section of the application, configure the following and click **Update** to save the changes.
+
+    <table>
+        <tr>
+            <td>Reply Logout URL</td>
+            <td>
+                This endpoint in your application handles the logout response from {{product_name}}.
+                <p><code>http://localhost:8080/PassiveSTSSampleApp/index.jsp</code></p>
+            </td>
+        </tr>
+    </table>
+
+6. Go to the **User Attributes** tab and click **Add User Attribute**, and add the following attributes:
+
+    - `http://wso2.org/claims/username`
+    - `http://wso2.org/claims/emailaddress`
+
+7. Select `http://wso2.org/claims/emailaddress` as the **Subject attribute**.
+
+8. Click **Update** to save your configurations.
+
+## Try it out
+
+!!! info
+    When redirecting your users to {{product_name}} Passive STS endpoint, the following (optional) parameters are sent in the request from the sample application.
+
+	- **wa=wsignin1.0**: specifies whether {{product_name}} should issue a token for the relying party (this is the default action).
+    - **wa=wsignout1.0**: specifies whether {{product_name}} should log the user out.
+    - **wreply={replyUrl}**: specifies where the response should be sent.
+
+	Using a Network tracer such as a SAML tracer is recommended to analyze the HTTP request and responses in this scenario. With a tracer, you will be able to view the parameters mentioned above and also see the SAML token that is issued from {{product_name}}.
+
+1. Access one of the following links on your browser and click **Login**.
+    - To get a SAML 1.1 token: <http://localhost:8080/PassiveSTSSampleApp/index.jsp>
+    - To get a SAML 2.0 token: <http://localhost:8080/PassiveSTSSampleApp?samlv=2-0>
+
+2. Login using your credentials.
+
+3. Provide the required consent. You will be redirected to the {{product_name}} WS-Federation Service and then redirected back to the configured `replyUrl`.
+
+You will see the WS-Federation response with the requested claims on the screen.

en/asgardeo/docs/assets/img/guides/applications/ws-federation/upload-certificate-of-app.png

@@ -0,0 +1,5 @@
+{% set product_name = "Asgardeo" %}
+{% set product_url_format = "https://api.asgardeo.io/t/{organization_name}" %}
+{% set product_url_sample = "https://api.asgardeo.io/t/bifrost" %}
+{% set entityID = "accounts.asgardeo.io/t/{organization_name}" %}
+{% include "../../../../includes/references/app-settings/ws-federation-settings-for-app.md" %}

en/asgardeo/docs/assets/img/guides/applications/ws-federation/ws-federation-settings.png

@@ -0,0 +1,61 @@
+# WS-Federation settings for apps
+
+You can find the WS-Federation protocol related settings under **Protocol** section of the selected WS-Federation application.
+  
+![WS-Federation settings]({{base_path}}/assets/img/guides/applications/ws-federation/ws-federation-settings.png){: width="600" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}
+
+## Basic settings
+
+To enable WS-Federation-based single sign-on (SSO), you need to configure the following key identifiers and endpoints.
+
+### Realm
+
+The Realm is a unique identifier for your application. It tells {{product_name}} which application is requesting authentication. This must match the `wtrealm` parameter in the WS-Federation request.
+
+### Reply URL
+
+The Reply URL is the endpoint in your application where {{product_name}} sends the authentication response after a successful login. This should match the `wreply` parameter in the WS-Federation request and must be configured to handle the security token.
+
+### Reply Logout URL
+
+The Reply Logout URL is the endpoint in your application that receives the logout response from {{product_name}}.
+
+## Advanced settings
+
+Use the following advanced settings to enhance the security and behavior of your WS-Federation integration.
+
+### Certificate
+
+If your application signs authentication or logout requests, {{product_name}} uses this certificate to verify their authenticity.
+
+You can either upload a certificate or use a JWKS endpoint to add a certificate.
+
+To upload a certificate:
+
+1. Select <b>Provide Certificate</b> and click <b>New Certificate</b>.
+
+    ![Upload app certificate]({{base_path}}/assets/img/guides/applications/ws-federation/upload-certificate-of-app.png){: width="400" style="display: block; margin: 0; border: 0.3px solid lightgrey;"}
+
+    ??? note "Convert `.crt`, `.cer` or `.der` certificates to `.pen` using [OpenSSL](https://www.openssl.org/){:target="_blank"}"
+
+        {{product_name}} only accepts certificates in the `.pem` format. To convert other certificates to `pem`, use one of the following commands.
+
+        - Convert CRT to PEM
+        
+            ```
+            openssl x509 -in cert.crt -out cert.pem
+            ```
+        
+        - Convert CER to PEM:
+        
+            ```
+            openssl x509 -in cert.cer -out cert.pem
+            ```
+        
+        - Convert DER to PEM:
+        
+            ```
+            openssl x509 -in cert.der -out cert.pem
+            ```
+
+2. Upload the certificate file or copy the certificate contents.