diff --git a/examples/AWSDriverExample/build.gradle.kts b/examples/AWSDriverExample/build.gradle.kts
index d39df2ff8..efe5d86f9 100644
--- a/examples/AWSDriverExample/build.gradle.kts
+++ b/examples/AWSDriverExample/build.gradle.kts
@@ -20,6 +20,7 @@ dependencies {
     implementation("mysql:mysql-connector-java:8.0.33")
     implementation("software.amazon.awssdk:rds:2.21.11")
     implementation("software.amazon.awssdk:secretsmanager:2.21.21")
+    implementation("software.amazon.awssdk:sts:2.21.21")
     implementation("com.fasterxml.jackson.core:jackson-databind:2.16.0")
     implementation(project(":aws-advanced-jdbc-wrapper"))
     implementation("io.opentelemetry:opentelemetry-api:1.32.0")
diff --git a/examples/AWSDriverExample/src/main/java/software/amazon/FederatedAuthPluginExample.java b/examples/AWSDriverExample/src/main/java/software/amazon/FederatedAuthPluginExample.java
new file mode 100644
index 000000000..d00e08638
--- /dev/null
+++ b/examples/AWSDriverExample/src/main/java/software/amazon/FederatedAuthPluginExample.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package software.amazon;
+
+import software.amazon.jdbc.PropertyDefinition;
+import software.amazon.jdbc.plugin.federatedauth.FederatedAuthPlugin;
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.Properties;
+
+public class FederatedAuthPluginExample {
+
+  private static final String CONNECTION_STRING = "jdbc:aws-wrapper:postgresql://db-identifier.XYZ.us-east-2.rds.amazonaws.com:5432/employees";
+
+  public static void main(String[] args) throws SQLException {
+    // Set the AWS Federated Authentication Connection Plugin parameters and the JDBC Wrapper parameters.
+    final Properties properties = new Properties();
+
+    // Enable the AWS Federated Authentication Connection Plugin.
+    properties.setProperty(PropertyDefinition.PLUGINS.name, "federatedAuth");
+    properties.setProperty(FederatedAuthPlugin.IDP_NAME.name, "adfs");
+    properties.setProperty(FederatedAuthPlugin.IDP_ENDPOINT.name, "ec2amaz-ab3cdef.example.com");
+    properties.setProperty(FederatedAuthPlugin.IAM_ROLE_ARN.name, "arn:aws:iam::123456789012:role/adfs_example_iam_role");
+    properties.setProperty(FederatedAuthPlugin.IAM_IDP_ARN.name, "arn:aws:iam::123456789012:saml-provider/adfs_example");
+    properties.setProperty(FederatedAuthPlugin.IAM_REGION.name, "us-east-2");
+    properties.setProperty(FederatedAuthPlugin.IDP_USERNAME.name, "someFederatedUsername@teamatlas.example.com");
+    properties.setProperty(FederatedAuthPlugin.IDP_PASSWORD.name, "somePassword");
+    properties.setProperty(PropertyDefinition.USER.name, "someIamUser");
+
+    // Try and make a connection:
+    try (final Connection conn = DriverManager.getConnection(CONNECTION_STRING, properties);
+         final Statement statement = conn.createStatement();
+         final ResultSet rs = statement.executeQuery("SELECT 1")) {
+      System.out.println(Util.getResult(rs));
+    }
+  }
+}
diff --git a/wrapper/build.gradle.kts b/wrapper/build.gradle.kts
index 4690be11f..c64f2c3a2 100644
--- a/wrapper/build.gradle.kts
+++ b/wrapper/build.gradle.kts
@@ -28,7 +28,10 @@ plugins {
 
 dependencies {
     implementation("org.checkerframework:checker-qual:3.40.0")
+    compileOnly("org.apache.httpcomponents:httpclient:4.5.14")
     compileOnly("software.amazon.awssdk:rds:2.21.11")
+    compileOnly("software.amazon.awssdk:sts:2.21.11")
+    compileOnly("software.amazon.awssdk:iam:2.21.11")
     compileOnly("com.zaxxer:HikariCP:4.0.3") // Version 4.+ is compatible with Java 8
     compileOnly("software.amazon.awssdk:secretsmanager:2.21.21")
     compileOnly("com.fasterxml.jackson.core:jackson-databind:2.16.0")
@@ -58,9 +61,10 @@ dependencies {
     testImplementation("com.zaxxer:HikariCP:4.0.3") // Version 4.+ is compatible with Java 8
     testImplementation("org.springframework.boot:spring-boot-starter-jdbc:2.7.13") // 2.7.13 is the last version compatible with Java 8
     testImplementation("org.mockito:mockito-inline:4.11.0") // 4.11.0 is the last version compatible with Java 8
-    testImplementation("software.amazon.awssdk:rds:2.21.11")
     testImplementation("software.amazon.awssdk:ec2:2.21.12")
+    testImplementation("software.amazon.awssdk:rds:2.21.11")
     testImplementation("software.amazon.awssdk:secretsmanager:2.21.21")
+    testImplementation("software.amazon.awssdk:sts:2.21.11")
     testImplementation("org.testcontainers:testcontainers:1.19.1")
     testImplementation("org.testcontainers:mysql:1.19.1")
     testImplementation("org.testcontainers:postgresql:1.19.2")
diff --git a/wrapper/src/main/java/software/amazon/jdbc/ConnectionPluginChainBuilder.java b/wrapper/src/main/java/software/amazon/jdbc/ConnectionPluginChainBuilder.java
index 6424b654d..b9de6e45a 100644
--- a/wrapper/src/main/java/software/amazon/jdbc/ConnectionPluginChainBuilder.java
+++ b/wrapper/src/main/java/software/amazon/jdbc/ConnectionPluginChainBuilder.java
@@ -39,10 +39,10 @@
 import software.amazon.jdbc.plugin.dev.DeveloperConnectionPluginFactory;
 import software.amazon.jdbc.plugin.efm.HostMonitoringConnectionPluginFactory;
 import software.amazon.jdbc.plugin.failover.FailoverConnectionPluginFactory;
+import software.amazon.jdbc.plugin.federatedauth.FederatedAuthPluginFactory;
 import software.amazon.jdbc.plugin.readwritesplitting.ReadWriteSplittingPluginFactory;
 import software.amazon.jdbc.plugin.staledns.AuroraStaleDnsPluginFactory;
 import software.amazon.jdbc.profile.ConfigurationProfile;
-import software.amazon.jdbc.profile.DriverConfigurationProfiles;
 import software.amazon.jdbc.util.Messages;
 import software.amazon.jdbc.util.SqlState;
 import software.amazon.jdbc.util.StringUtils;
@@ -65,6 +65,7 @@ public class ConnectionPluginChainBuilder {
           put("failover", FailoverConnectionPluginFactory.class);
           put("iam", IamAuthConnectionPluginFactory.class);
           put("awsSecretsManager", AwsSecretsManagerConnectionPluginFactory.class);
+          put("federatedAuth", FederatedAuthPluginFactory.class);
           put("auroraStaleDns", AuroraStaleDnsPluginFactory.class);
           put("readWriteSplitting", ReadWriteSplittingPluginFactory.class);
           put("auroraConnectionTracker", AuroraConnectionTrackerPluginFactory.class);
@@ -92,7 +93,8 @@ public class ConnectionPluginChainBuilder {
           put(HostMonitoringConnectionPluginFactory.class, 800);
           put(IamAuthConnectionPluginFactory.class, 900);
           put(AwsSecretsManagerConnectionPluginFactory.class, 1000);
-          put(LogQueryConnectionPluginFactory.class, 1100);
+          put(FederatedAuthPluginFactory.class, 1100);
+          put(LogQueryConnectionPluginFactory.class, 1200);
           put(ConnectTimeConnectionPluginFactory.class, WEIGHT_RELATIVE_TO_PRIOR_PLUGIN);
           put(ExecutionTimeConnectionPluginFactory.class, WEIGHT_RELATIVE_TO_PRIOR_PLUGIN);
           put(DeveloperConnectionPluginFactory.class, WEIGHT_RELATIVE_TO_PRIOR_PLUGIN);
diff --git a/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/AdfsCredentialsProviderFactory.java b/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/AdfsCredentialsProviderFactory.java
new file mode 100644
index 000000000..9a72e96db
--- /dev/null
+++ b/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/AdfsCredentialsProviderFactory.java
@@ -0,0 +1,239 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package software.amazon.jdbc.plugin.federatedauth;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Properties;
+import java.util.Set;
+import java.util.logging.Logger;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import org.apache.http.NameValuePair;
+import org.apache.http.client.entity.UrlEncodedFormEntity;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.message.BasicNameValuePair;
+import org.apache.http.util.EntityUtils;
+import org.checkerframework.checker.nullness.qual.NonNull;
+import software.amazon.jdbc.PluginService;
+import software.amazon.jdbc.util.Messages;
+import software.amazon.jdbc.util.StringUtils;
+import software.amazon.jdbc.util.telemetry.TelemetryContext;
+import software.amazon.jdbc.util.telemetry.TelemetryFactory;
+import software.amazon.jdbc.util.telemetry.TelemetryTraceLevel;
+
+public class AdfsCredentialsProviderFactory extends SamlCredentialsProviderFactory {
+
+  public static final String IDP_NAME = "adfs";
+  private static final String TELEMETRY_FETCH_SAML = "Fetch ADFS SAML Assertion";
+  private static final Logger LOGGER = Logger.getLogger(AdfsCredentialsProviderFactory.class.getName());
+  private final PluginService pluginService;
+  private final TelemetryFactory telemetryFactory;
+  private final CloseableHttpClient httpClient;
+  private TelemetryContext telemetryContext;
+
+  public AdfsCredentialsProviderFactory(PluginService pluginService, CloseableHttpClient httpClient) {
+    this.pluginService = pluginService;
+    this.telemetryFactory = this.pluginService.getTelemetryFactory();
+    this.httpClient = httpClient;
+  }
+
+  @Override
+  String getSamlAssertion(final @NonNull Properties props) {
+    this.telemetryContext = telemetryFactory.openTelemetryContext(TELEMETRY_FETCH_SAML, TelemetryTraceLevel.NESTED);
+
+    String uri = "https://" + FederatedAuthPlugin.IDP_ENDPOINT.getString(props) + ':'
+        + FederatedAuthPlugin.IDP_PORT.getString(props) + "/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp="
+        + FederatedAuthPlugin.RELAYING_PARTY_ID.getString(props);
+
+    try {
+      LOGGER.finest(Messages.get("AdfsCredentialsProviderFactory.signOnPageUrl", new Object[] {uri}));
+      validateURL(uri);
+      HttpGet get = new HttpGet(uri);
+      CloseableHttpResponse resp = httpClient.execute(get);
+
+      if (resp.getStatusLine().getStatusCode() != 200) {
+        throw new IOException(Messages.get("AdfsCredentialsProviderFactory.signOnPageRequestFailed",
+            new Object[] {
+                resp.getStatusLine().getStatusCode(),
+                resp.getStatusLine().getReasonPhrase(),
+                EntityUtils.toString(resp.getEntity())}));
+      }
+
+      String body = EntityUtils.toString(resp.getEntity());
+
+      String action = getFormAction(body);
+      if (!StringUtils.isNullOrEmpty(action) && action.startsWith("/")) {
+        uri = "https://" + FederatedAuthPlugin.IDP_ENDPOINT.getString(props) + ':' + FederatedAuthPlugin.IDP_PORT.getString(props) + action;
+      }
+
+      LOGGER.finest(Messages.get("AdfsCredentialsProviderFactory.signOnPagePostActionUrl", new Object[] {uri}));
+
+      validateURL(uri);
+      HttpPost post = new HttpPost(uri);
+      post.setEntity(new UrlEncodedFormEntity(getParameters(body, props)));
+      resp = httpClient.execute(post);
+      if (resp.getStatusLine().getStatusCode() != 200) {
+        throw new IOException(Messages.get("AdfsCredentialsProviderFactory.signOnPagePostActionRequestFailed",
+            new Object[] {
+                resp.getStatusLine().getStatusCode(),
+                resp.getStatusLine().getReasonPhrase(),
+                EntityUtils.toString(resp.getEntity())}));
+      }
+
+      String content = EntityUtils.toString(resp.getEntity());
+      Matcher matcher = FederatedAuthPlugin.SAML_RESPONSE_PATTERN.matcher(content);
+      if (!matcher.find()) {
+        throw new IOException(Messages.get("AdfsCredentialsProviderFactory.failedLogin", new Object[] {content}));
+      }
+
+      return matcher.group(1);
+    } catch (IOException e) {
+      LOGGER.severe(Messages.get("AdfsCredentialsProviderFactory.getSamlAssertionFailed", new Object[] {e}));
+      this.telemetryContext.setSuccess(false);
+      this.telemetryContext.setException(e);
+      throw new RuntimeException(e);
+    } finally {
+      this.telemetryContext.closeContext();
+    }
+  }
+
+  private List<String> getInputTagsFromHTML(String body) {
+    Set<String> distinctInputTags = new HashSet<>();
+    List<String> inputTags = new ArrayList<String>();
+    Pattern inputTagPattern = Pattern.compile("<input(.+?)/>", Pattern.DOTALL);
+    Matcher inputTagMatcher = inputTagPattern.matcher(body);
+    while (inputTagMatcher.find()) {
+      String tag = inputTagMatcher.group(0);
+      String tagNameLower = getValueByKey(tag, "name").toLowerCase();
+      if (!tagNameLower.isEmpty() && distinctInputTags.add(tagNameLower)) {
+        inputTags.add(tag);
+      }
+    }
+    return inputTags;
+  }
+
+  private String getValueByKey(String input, String key) {
+    Pattern keyValuePattern = Pattern.compile("(" + Pattern.quote(key) + ")\\s*=\\s*\"(.*?)\"");
+    Matcher keyValueMatcher = keyValuePattern.matcher(input);
+    if (keyValueMatcher.find()) {
+      return escapeHtmlEntity(keyValueMatcher.group(2));
+    }
+    return "";
+  }
+
+  private String escapeHtmlEntity(String html) {
+    StringBuilder sb = new StringBuilder(html.length());
+    int i = 0;
+    int length = html.length();
+    while (i < length) {
+      char c = html.charAt(i);
+      if (c != '&') {
+        sb.append(c);
+        i++;
+        continue;
+      }
+
+      if (html.startsWith("&amp;", i)) {
+        sb.append('&');
+        i += 5;
+      } else if (html.startsWith("&apos;", i)) {
+        sb.append('\'');
+        i += 6;
+      } else if (html.startsWith("&quot;", i)) {
+        sb.append('"');
+        i += 6;
+      } else if (html.startsWith("&lt;", i)) {
+        sb.append('<');
+        i += 4;
+      } else if (html.startsWith("&gt;", i)) {
+        sb.append('>');
+        i += 4;
+      } else {
+        sb.append(c);
+        ++i;
+      }
+    }
+    return sb.toString();
+  }
+
+  private List<NameValuePair> getParameters(String body, final @NonNull Properties props) {
+    List<NameValuePair> parameters = new ArrayList<NameValuePair>();
+    for (String inputTag : getInputTagsFromHTML(body)) {
+      String name = getValueByKey(inputTag, "name");
+      String value = getValueByKey(inputTag, "value");
+      String nameLower = name.toLowerCase();
+
+      if (nameLower.contains("username")) {
+        parameters.add(new BasicNameValuePair(name, FederatedAuthPlugin.IDP_USERNAME.getString(props)));
+      } else if (nameLower.contains("authmethod")) {
+        if (!value.isEmpty()) {
+          parameters.add(new BasicNameValuePair(name, value));
+        }
+      } else if (nameLower.contains("password")) {
+        parameters
+            .add(new BasicNameValuePair(name, FederatedAuthPlugin.IDP_PASSWORD.getString(props)));
+      } else if (!name.isEmpty()) {
+        parameters.add(new BasicNameValuePair(name, value));
+      }
+    }
+    return parameters;
+  }
+
+  private String getFormAction(String body) {
+    Pattern pattern = Pattern.compile("<form.*?action=\"([^\"]+)\"");
+    Matcher m = pattern.matcher(body);
+    if (m.find()) {
+      return escapeHtmlEntity(m.group(1));
+    }
+    return null;
+  }
+
+  private void validateURL(String paramString) throws IOException {
+
+    URI authorizeRequestUrl = URI.create(paramString);
+    String errorMessage = Messages.get("AdfsCredentialsProviderFactory.invalidHttpsUrl", new Object[] {paramString});
+
+    try {
+      if (!authorizeRequestUrl.toURL().getProtocol().equalsIgnoreCase("https")) {
+        throw new IOException(errorMessage);
+      }
+
+      Matcher matcher = FederatedAuthPlugin.HTTPS_URL_PATTERN.matcher(paramString);
+      if (!matcher.find()) {
+        throw new IOException(errorMessage);
+      }
+    } catch (MalformedURLException e) {
+      throw new IOException(errorMessage, e);
+    }
+  }
+
+  public void close() {
+    try {
+      this.httpClient.close();
+    } catch (IOException e) {
+      // Ignore
+    }
+  }
+}
diff --git a/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/CredentialsProviderFactory.java b/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/CredentialsProviderFactory.java
new file mode 100644
index 000000000..7e9785d2d
--- /dev/null
+++ b/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/CredentialsProviderFactory.java
@@ -0,0 +1,27 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package software.amazon.jdbc.plugin.federatedauth;
+
+import java.io.Closeable;
+import java.util.Properties;
+import org.checkerframework.checker.nullness.qual.NonNull;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.regions.Region;
+
+public interface CredentialsProviderFactory extends Closeable {
+  AwsCredentialsProvider getAwsCredentialsProvider(String host, Region region, final @NonNull Properties props);
+}
diff --git a/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthPlugin.java b/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthPlugin.java
new file mode 100644
index 000000000..fcc21c8c6
--- /dev/null
+++ b/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthPlugin.java
@@ -0,0 +1,347 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package software.amazon.jdbc.plugin.federatedauth;
+
+import java.io.IOException;
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Optional;
+import java.util.Properties;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.logging.Logger;
+import java.util.regex.Pattern;
+import org.checkerframework.checker.nullness.qual.NonNull;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.regions.Region;
+import software.amazon.awssdk.services.rds.RdsUtilities;
+import software.amazon.jdbc.AwsWrapperProperty;
+import software.amazon.jdbc.HostSpec;
+import software.amazon.jdbc.JdbcCallable;
+import software.amazon.jdbc.PluginService;
+import software.amazon.jdbc.PropertyDefinition;
+import software.amazon.jdbc.plugin.AbstractConnectionPlugin;
+import software.amazon.jdbc.util.Messages;
+import software.amazon.jdbc.util.RdsUtils;
+import software.amazon.jdbc.util.StringUtils;
+import software.amazon.jdbc.util.telemetry.TelemetryContext;
+import software.amazon.jdbc.util.telemetry.TelemetryCounter;
+import software.amazon.jdbc.util.telemetry.TelemetryFactory;
+import software.amazon.jdbc.util.telemetry.TelemetryGauge;
+import software.amazon.jdbc.util.telemetry.TelemetryTraceLevel;
+
+public class FederatedAuthPlugin extends AbstractConnectionPlugin {
+
+  static final ConcurrentHashMap<String, TokenInfo> tokenCache = new ConcurrentHashMap<>();
+  private final CredentialsProviderFactory credentialsProviderFactory;
+  private static final int DEFAULT_TOKEN_EXPIRATION_SEC = 15 * 60 - 30;
+  private static final int DEFAULT_HTTP_TIMEOUT = 60000;
+  public static final AwsWrapperProperty IDP_ENDPOINT = new AwsWrapperProperty("idpEndpoint", null,
+      "The hosting URL of the Identity Provider");
+  public static final AwsWrapperProperty IDP_PORT =
+      new AwsWrapperProperty("idpPort", "443", "The hosting port of Identity Provider");
+  public static final AwsWrapperProperty RELAYING_PARTY_ID =
+      new AwsWrapperProperty("rpIdentifier", "urn:amazon:webservices", "The relaying party identifier");
+  public static final AwsWrapperProperty IAM_ROLE_ARN =
+      new AwsWrapperProperty("iamRoleArn", null, "The ARN of the IAM Role that is to be assumed.");
+  public static final AwsWrapperProperty IAM_IDP_ARN =
+      new AwsWrapperProperty("iamIdpArn", null, "The ARN of the Identity Provider");
+  public static final AwsWrapperProperty IAM_REGION = new AwsWrapperProperty("iamRegion", null,
+      "Overrides AWS region that is used to generate the IAM token");
+  public static final AwsWrapperProperty IAM_TOKEN_EXPIRATION = new AwsWrapperProperty("iamTokenExpiration",
+      String.valueOf(DEFAULT_TOKEN_EXPIRATION_SEC), "IAM token cache expiration in seconds");
+  public static final AwsWrapperProperty IDP_USERNAME =
+      new AwsWrapperProperty("idpUsername", null, "The federated user name");
+  public static final AwsWrapperProperty IDP_PASSWORD = new AwsWrapperProperty("idpPassword", null,
+      "The federated user password");
+  public static final AwsWrapperProperty IAM_HOST = new AwsWrapperProperty(
+      "iamHost", null,
+      "Overrides the host that is used to generate the IAM token");
+  public static final AwsWrapperProperty IAM_DEFAULT_PORT = new AwsWrapperProperty("iamDefaultPort", null,
+      "Overrides default port that is used to generate the IAM token");
+  public static final AwsWrapperProperty HTTP_CLIENT_SOCKET_TIMEOUT = new AwsWrapperProperty(
+      "httpClientSocketTimeout", String.valueOf(DEFAULT_HTTP_TIMEOUT),
+      "The socket timeout value for the HttpClient used by the FederatedAuthPlugin");
+  public static final AwsWrapperProperty HTTP_CLIENT_CONNECT_TIMEOUT = new AwsWrapperProperty(
+      "httpClientConnectTimeout", String.valueOf(DEFAULT_HTTP_TIMEOUT),
+      "The connect timeout value for the HttpClient used by the FederatedAuthPlugin");
+  public static final AwsWrapperProperty SSL_INSECURE = new AwsWrapperProperty("sslInsecure", "true",
+      "Whether or not a SSL ");
+
+  public static AwsWrapperProperty
+      IDP_NAME = new AwsWrapperProperty("idpName", null, "The name of the Identity Provider implementation used ");
+  protected static final Pattern SAML_RESPONSE_PATTERN = Pattern.compile("SAMLResponse\\W+value=\"([^\"]+)\"");
+  protected static final Pattern HTTPS_URL_PATTERN =
+      Pattern.compile("^(https)://[-a-zA-Z0-9+&@#/%?=~_!:,.']*[-a-zA-Z0-9+&@#/%=~_']");
+
+  private static final String TELEMETRY_FETCH_TOKEN = "fetch IAM token";
+  private static final Logger LOGGER = Logger.getLogger(FederatedAuthPlugin.class.getName());
+
+  protected final PluginService pluginService;
+
+  protected final RdsUtils rdsUtils = new RdsUtils();
+
+  private static final Set<String> subscribedMethods =
+      Collections.unmodifiableSet(new HashSet<String>() {
+        {
+          add("connect");
+          add("forceConnect");
+        }
+      });
+
+  static {
+    PropertyDefinition.registerPluginProperties(FederatedAuthPlugin.class);
+  }
+
+  private final TelemetryFactory telemetryFactory;
+  private final TelemetryGauge cacheSizeGauge;
+  private final TelemetryCounter fetchTokenCounter;
+
+  @Override
+  public Set<String> getSubscribedMethods() {
+    return subscribedMethods;
+  }
+
+  public FederatedAuthPlugin(final PluginService pluginService,
+                             final CredentialsProviderFactory credentialsProviderFactory) {
+    try {
+      Class.forName("software.amazon.awssdk.services.sts.model.AssumeRoleWithSamlRequest");
+    } catch (final ClassNotFoundException e) {
+      throw new RuntimeException(Messages.get("FederatedAuthPlugin.javaStsSdkNotInClasspath"));
+    }
+    this.pluginService = pluginService;
+    this.credentialsProviderFactory = credentialsProviderFactory;
+    this.telemetryFactory = pluginService.getTelemetryFactory();
+    this.cacheSizeGauge = telemetryFactory.createGauge("federatedAuth.tokenCache.size", () -> (long) tokenCache.size());
+    this.fetchTokenCounter = telemetryFactory.createCounter("federatedAuth.fetchToken.count");
+  }
+
+
+  @Override
+  public Connection connect(
+      final String driverProtocol,
+      final HostSpec hostSpec,
+      final Properties props,
+      final boolean isInitialConnection,
+      final JdbcCallable<Connection, SQLException> connectFunc)
+      throws SQLException {
+    return connectInternal(hostSpec, props, connectFunc);
+  }
+
+  @Override
+  public Connection forceConnect(
+      final @NonNull String driverProtocol,
+      final @NonNull HostSpec hostSpec,
+      final @NonNull Properties props,
+      final boolean isInitialConnection,
+      final @NonNull JdbcCallable<Connection, SQLException> forceConnectFunc)
+      throws SQLException {
+    return connectInternal(hostSpec, props, forceConnectFunc);
+  }
+
+  private Connection connectInternal(HostSpec hostSpec, Properties props,
+      JdbcCallable<Connection, SQLException> connectFunc) throws SQLException {
+
+    String host = getHost(hostSpec, props);
+
+    int port = getPort(hostSpec, props);
+
+    final Region region = getRegion(host, props);
+
+    final String cacheKey = getCacheKey(
+        PropertyDefinition.USER.getString(props),
+        host,
+        port,
+        region);
+
+    final TokenInfo tokenInfo = tokenCache.get(cacheKey);
+
+    final boolean isCachedToken = tokenInfo != null && !tokenInfo.isExpired();
+
+    if (isCachedToken) {
+      LOGGER.finest(
+          () -> Messages.get(
+              "FederatedAuthPlugin.useCachedIamToken",
+              new Object[] {tokenInfo.getToken()}));
+      PropertyDefinition.PASSWORD.set(props, tokenInfo.getToken());
+    } else {
+      updateAuthenticationToken(hostSpec, props, region, cacheKey);
+    }
+
+    try {
+      return connectFunc.call();
+    } catch (final SQLException exception) {
+      updateAuthenticationToken(hostSpec, props, region, cacheKey);
+      return connectFunc.call();
+    } catch (final Exception exception) {
+      LOGGER.warning(
+          () -> Messages.get(
+              "FederatedAuthPlugin.unhandledException",
+              new Object[] {exception}));
+      throw new SQLException(exception);
+    }
+  }
+
+  private void updateAuthenticationToken(HostSpec hostSpec, Properties props, Region region, String cacheKey)
+      throws SQLException {
+    final int tokenExpirationSec = IAM_TOKEN_EXPIRATION.getInteger(props);
+    final Instant tokenExpiry = Instant.now().plus(tokenExpirationSec, ChronoUnit.SECONDS);
+    AwsCredentialsProvider credentialsProvider =
+        this.credentialsProviderFactory.getAwsCredentialsProvider(hostSpec.getHost(), region, props);
+    String token = generateAuthenticationToken(
+        props,
+        hostSpec.getHost(),
+        getPort(hostSpec, props),
+        region,
+        credentialsProvider);
+    LOGGER.finest(
+        () -> Messages.get(
+            "FederatedAuthPlugin.generatedNewIamToken",
+            new Object[] {token}));
+    PropertyDefinition.PASSWORD.set(props, token);
+    tokenCache.put(
+        cacheKey,
+        new TokenInfo(token, tokenExpiry));
+    try {
+      credentialsProviderFactory.close();
+    } catch (IOException e) {
+      // Ignore
+    }
+  }
+
+  private Region getRegion(final String hostname, final Properties props) throws SQLException {
+    final String iamRegion = IAM_REGION.getString(props);
+    if (!StringUtils.isNullOrEmpty(iamRegion)) {
+      return Region.of(iamRegion);
+    }
+
+    // Fallback to using host
+    // Get Region
+    final String rdsRegion = rdsUtils.getRdsRegion(hostname);
+
+    if (StringUtils.isNullOrEmpty(rdsRegion)) {
+      // Does not match Amazon's Hostname, throw exception
+      final String exceptionMessage = Messages.get(
+          "FederatedAuthPlugin.unsupportedHostname",
+          new Object[] {hostname});
+
+      LOGGER.fine(exceptionMessage);
+      throw new SQLException(exceptionMessage);
+    }
+
+    // Check Region
+    final Optional<Region> regionOptional = Region.regions().stream()
+        .filter(r -> r.id().equalsIgnoreCase(rdsRegion))
+        .findFirst();
+
+    if (!regionOptional.isPresent()) {
+      final String exceptionMessage = Messages.get(
+          "AwsSdk.unsupportedRegion",
+          new Object[] {rdsRegion});
+
+      LOGGER.fine(exceptionMessage);
+      throw new SQLException(exceptionMessage);
+    }
+
+    return regionOptional.get();
+  }
+
+  String generateAuthenticationToken(final Properties props, final String hostname,
+      final int port, final Region region, final AwsCredentialsProvider awsCredentialsProvider) {
+    TelemetryFactory telemetryFactory = this.pluginService.getTelemetryFactory();
+    TelemetryContext telemetryContext = telemetryFactory.openTelemetryContext(
+        TELEMETRY_FETCH_TOKEN, TelemetryTraceLevel.NESTED);
+    this.fetchTokenCounter.inc();
+    try {
+      final String user = PropertyDefinition.USER.getString(props);
+      final RdsUtilities utilities =
+          RdsUtilities.builder().credentialsProvider(awsCredentialsProvider).region(region).build();
+      return utilities.generateAuthenticationToken((builder) -> builder.hostname(hostname).port(port).username(user));
+    } catch (Exception e) {
+      telemetryContext.setSuccess(false);
+      telemetryContext.setException(e);
+      throw e;
+    } finally {
+      telemetryContext.closeContext();
+    }
+  }
+
+  private String getCacheKey(
+      final String user,
+      final String hostname,
+      final int port,
+      final Region region) {
+
+    return String.format("%s:%s:%d:%s", region, hostname, port, user);
+  }
+
+  public static void clearCache() {
+    tokenCache.clear();
+  }
+
+  private String getHost(HostSpec hostSpec, Properties props) {
+    String host = hostSpec.getHost();
+    if (!StringUtils.isNullOrEmpty(IAM_HOST.getString(props))) {
+      host = IAM_HOST.getString(props);
+    }
+    return host;
+  }
+
+  private int getPort(HostSpec hostSpec, Properties props) {
+    if (!StringUtils.isNullOrEmpty(IAM_DEFAULT_PORT.getString(props))) {
+      int defaultPort = IAM_DEFAULT_PORT.getInteger(props);
+      if (defaultPort > 0) {
+        return defaultPort;
+      } else {
+        LOGGER.finest(Messages.get("FederatedAuthPlugin.invalidPort", new Object[] {defaultPort}));
+      }
+    }
+
+    if (hostSpec.isPortSpecified()) {
+      return hostSpec.getPort();
+    } else {
+      return this.pluginService.getDialect().getDefaultPort();
+    }
+  }
+
+  static class TokenInfo {
+
+    private final String token;
+    private final Instant expiration;
+
+    public TokenInfo(final String token, final Instant expiration) {
+      this.token = token;
+      this.expiration = expiration;
+    }
+
+    public String getToken() {
+      return this.token;
+    }
+
+    public Instant getExpiration() {
+      return this.expiration;
+    }
+
+    public boolean isExpired() {
+      return Instant.now().isAfter(this.expiration);
+    }
+  }
+}
diff --git a/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthPluginFactory.java b/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthPluginFactory.java
new file mode 100644
index 000000000..99e0b21fe
--- /dev/null
+++ b/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthPluginFactory.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package software.amazon.jdbc.plugin.federatedauth;
+
+import java.security.GeneralSecurityException;
+import java.util.Properties;
+import software.amazon.jdbc.ConnectionPlugin;
+import software.amazon.jdbc.ConnectionPluginFactory;
+import software.amazon.jdbc.PluginService;
+import software.amazon.jdbc.util.Messages;
+
+public class FederatedAuthPluginFactory implements ConnectionPluginFactory {
+
+  @Override
+  public ConnectionPlugin getInstance(final PluginService pluginService, final Properties props) {
+    return new FederatedAuthPlugin(pluginService, getCredentialsProviderFactory(pluginService, props));
+  }
+
+  private CredentialsProviderFactory getCredentialsProviderFactory(final PluginService pluginService,
+      final Properties props) {
+    final String idpName = FederatedAuthPlugin.IDP_NAME.getString(props);
+    if (AdfsCredentialsProviderFactory.IDP_NAME.equalsIgnoreCase(idpName)) {
+      try {
+        return new AdfsCredentialsProviderFactory(
+            pluginService,
+            new HttpClientFactory().getCloseableHttpClient(
+                FederatedAuthPlugin.HTTP_CLIENT_SOCKET_TIMEOUT.getInteger(props),
+                FederatedAuthPlugin.HTTP_CLIENT_CONNECT_TIMEOUT.getInteger(props),
+                FederatedAuthPlugin.SSL_INSECURE.getBoolean(props)));
+      } catch (GeneralSecurityException e) {
+        throw new RuntimeException(
+            Messages.get("FederatedAuthPluginFactory.failedToInitializeHttpClient"), e);
+      }
+    }
+    throw new IllegalArgumentException(Messages.get("FederatedAuthPluginFactory.unsupportedIdp",
+        new Object[] {idpName}));
+  }
+}
diff --git a/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/HttpClientFactory.java b/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/HttpClientFactory.java
new file mode 100644
index 000000000..e7597bbbb
--- /dev/null
+++ b/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/HttpClientFactory.java
@@ -0,0 +1,71 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package software.amazon.jdbc.plugin.federatedauth;
+
+import java.security.GeneralSecurityException;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import org.apache.http.client.config.CookieSpecs;
+import org.apache.http.client.config.RequestConfig;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.DefaultHttpRequestRetryHandler;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.impl.client.HttpClients;
+import org.apache.http.impl.client.LaxRedirectStrategy;
+
+/**
+ * Provides a HttpClient so that requests to HTTP API can be made. This is used by the
+ * {@link software.amazon.jdbc.plugin.federatedauth.AdfsCredentialsProviderFactory} to make HTTP calls to ADFS HTTP
+ * endpoints that are not available via SDK.
+ */
+public class HttpClientFactory {
+  private static int MAX_REQUEST_RETRIES = 3;
+
+  public CloseableHttpClient getCloseableHttpClient(int socketTimeoutMs, int connectionTimeoutMs,
+      boolean keySslInsecure) throws GeneralSecurityException {
+    RequestConfig rc = RequestConfig.custom()
+        .setSocketTimeout(socketTimeoutMs)
+        .setConnectTimeout(connectionTimeoutMs)
+        .setExpectContinueEnabled(false)
+        .setCookieSpec(CookieSpecs.STANDARD)
+        .build();
+
+    HttpClientBuilder builder = HttpClients.custom()
+        .setDefaultRequestConfig(rc)
+        .setRedirectStrategy(new LaxRedirectStrategy())
+        .setRetryHandler(new DefaultHttpRequestRetryHandler(MAX_REQUEST_RETRIES, true))
+        .useSystemProperties(); // this is needed for proxy setting using system properties.
+
+    if (keySslInsecure) {
+      SSLContext ctx = SSLContext.getInstance("TLSv1.2");
+      TrustManager[] tma = new TrustManager[] {new NonValidatingSSLSocketFactory.NonValidatingTrustManager()};
+      ctx.init(null, tma, null);
+      SSLSocketFactory factory = ctx.getSocketFactory();
+
+      SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
+          factory,
+          new NoopHostnameVerifier());
+
+      builder.setSSLSocketFactory(sf);
+    }
+
+    return builder.build();
+  }
+}
diff --git a/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/NonValidatingSSLSocketFactory.java b/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/NonValidatingSSLSocketFactory.java
new file mode 100644
index 000000000..113235ac0
--- /dev/null
+++ b/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/NonValidatingSSLSocketFactory.java
@@ -0,0 +1,97 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package software.amazon.jdbc.plugin.federatedauth;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.security.GeneralSecurityException;
+import java.security.cert.X509Certificate;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
+/**
+ * Provide a SSLSocketFactory that allows SSL connections to be made without validating the server's
+ * certificate. This is more convenient for some applications, but is less secure as it allows "man
+ * in the middle" attacks.
+ */
+public class NonValidatingSSLSocketFactory extends SSLSocketFactory {
+
+  /**
+   * We provide a constructor that takes an unused argument solely because the ssl calling code will
+   * look for this constructor first and then fall back to the no argument constructor, so we avoid
+   * an exception and additional reflection lookups.
+   *
+   * @param arg input argument
+   * @throws GeneralSecurityException if something goes wrong
+   */
+  public NonValidatingSSLSocketFactory(String arg) throws GeneralSecurityException {
+    SSLContext ctx = SSLContext.getInstance("TLS"); // or "SSL" ?
+
+    ctx.init(null, new TrustManager[]{new NonValidatingTrustManager()}, null);
+
+    factory = ctx.getSocketFactory();
+  }
+
+  protected SSLSocketFactory factory;
+
+  public Socket createSocket(InetAddress host, int port) throws IOException {
+    return factory.createSocket(host, port);
+  }
+
+  public Socket createSocket(String host, int port) throws IOException {
+    return factory.createSocket(host, port);
+  }
+
+  public Socket createSocket(String host, int port, InetAddress localHost, int localPort)
+      throws IOException {
+    return factory.createSocket(host, port, localHost, localPort);
+  }
+
+  public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort)
+      throws IOException {
+    return factory.createSocket(address, port, localAddress, localPort);
+  }
+
+  public Socket createSocket(Socket socket, String host, int port, boolean autoClose)
+      throws IOException {
+    return factory.createSocket(socket, host, port, autoClose);
+  }
+
+  public String[] getDefaultCipherSuites() {
+    return factory.getDefaultCipherSuites();
+  }
+
+  public String[] getSupportedCipherSuites() {
+    return factory.getSupportedCipherSuites();
+  }
+
+  public static class NonValidatingTrustManager implements X509TrustManager {
+
+    public X509Certificate[] getAcceptedIssuers() {
+      return new X509Certificate[0];
+    }
+
+    public void checkClientTrusted(X509Certificate[] certs, String authType) {
+    }
+
+    public void checkServerTrusted(X509Certificate[] certs, String authType) {
+    }
+  }
+}
diff --git a/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/SamlCredentialsProviderFactory.java b/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/SamlCredentialsProviderFactory.java
new file mode 100644
index 000000000..93adea8df
--- /dev/null
+++ b/wrapper/src/main/java/software/amazon/jdbc/plugin/federatedauth/SamlCredentialsProviderFactory.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package software.amazon.jdbc.plugin.federatedauth;
+
+import static software.amazon.jdbc.plugin.federatedauth.FederatedAuthPlugin.IAM_IDP_ARN;
+import static software.amazon.jdbc.plugin.federatedauth.FederatedAuthPlugin.IAM_ROLE_ARN;
+
+import java.util.Properties;
+import java.util.function.Supplier;
+import org.checkerframework.checker.nullness.qual.NonNull;
+import software.amazon.awssdk.auth.credentials.AnonymousCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.regions.Region;
+import software.amazon.awssdk.services.sts.StsClient;
+import software.amazon.awssdk.services.sts.auth.StsAssumeRoleWithSamlCredentialsProvider;
+import software.amazon.awssdk.services.sts.model.AssumeRoleWithSamlRequest;
+
+public abstract class SamlCredentialsProviderFactory implements CredentialsProviderFactory {
+
+  @Override
+  public AwsCredentialsProvider getAwsCredentialsProvider(String host, Region region, final @NonNull Properties props) {
+
+    Supplier<AssumeRoleWithSamlRequest> assumeRoleWithSamlRequestSupplier = () -> {
+      String samlAssertion = getSamlAssertion(props);
+
+      return AssumeRoleWithSamlRequest.builder()
+          .samlAssertion(samlAssertion)
+          .roleArn(IAM_ROLE_ARN.getString(props))
+          .principalArn(IAM_IDP_ARN.getString(props))
+          .build();
+    };
+
+    StsClient stsClient = StsClient.builder()
+        .credentialsProvider(AnonymousCredentialsProvider.create())
+        .region(region)
+        .build();
+
+    return StsAssumeRoleWithSamlCredentialsProvider.builder()
+        .refreshRequest(assumeRoleWithSamlRequestSupplier)
+        .asyncCredentialUpdateEnabled(true)
+        .stsClient(stsClient)
+        .build();
+  }
+
+  abstract String getSamlAssertion(final @NonNull Properties props);
+}
diff --git a/wrapper/src/main/resources/aws_advanced_jdbc_wrapper_messages.properties b/wrapper/src/main/resources/aws_advanced_jdbc_wrapper_messages.properties
index 18d97ef5a..51e457ff5 100644
--- a/wrapper/src/main/resources/aws_advanced_jdbc_wrapper_messages.properties
+++ b/wrapper/src/main/resources/aws_advanced_jdbc_wrapper_messages.properties
@@ -14,6 +14,16 @@
 # limitations under the License.
 #
 
+# ADFS Credentials Provider Getter
+AdfsCredentialsProviderFactory.failedLogin=Failed login. Could not obtain SAML Assertion from ADFS SignOn Page POST response: \n``{0}``
+AdfsCredentialsProviderFactory.getSamlAssertionFailed=Failed to get Saml Assertion due to exception:  ``{0}``
+AdfsCredentialsProviderFactory.invalidHttpsUrl=Invalid HTTPS URL: ``{0}``
+AdfsCredentialsProviderFactory.signOnPageBody=ADFS SignOn Body: ``{0}``
+AdfsCredentialsProviderFactory.signOnPagePostActionUrl=ADFS SignOn Action URL: ``{0}``
+AdfsCredentialsProviderFactory.signOnPagePostActionRequestFailed=ADFS SignOn Page POST action failed with HTTP status ``{0}``, reason phrase ``{1}``, and response ``{2}``
+AdfsCredentialsProviderFactory.signOnPageRequestFailed=ADFS SignOn Page Request Failed with HTTP status ``{0}``, reason phrase ``{1}``, and response ``{2}``
+AdfsCredentialsProviderFactory.signOnPageUrl=ADFS SignOn URL: ``{0}``
+
 # Aurora Host List Connection Plugin
 AuroraHostListConnectionPlugin.providerAlreadySet=Another dynamic host list provider has already been set: {0}.
 
@@ -147,6 +157,17 @@ Failover.failedToUpdateCurrentHostspecAvailability=Failed to update current host
 Failover.noOperationsAfterConnectionClosed=No operations allowed after connection closed.
 Failover.invalidHostListProvider=Incorrect type of host list provider found, please ensure the correct host list provider is specified. The host list provider in use is: ''{0}'', the plugin is expected a cluster-aware host list provider such as the AuroraHostListProvider.
 
+# Federated Authentication Connection Plugin
+FederatedAuthPlugin.generatedNewIamToken=Generated new IAM token = ''{0}''
+FederatedAuthPlugin.invalidPort=Port number: {0} is not valid. Port number should be greater than zero. Falling back to default port.
+FederatedAuthPlugin.javaStsSdkNotInClasspath=Required dependency 'AWS Java SDK for AWS Secret Token Service' is not on the classpath.
+FederatedAuthPlugin.unhandledException=Unhandled exception: ''{0}''
+FederatedAuthPlugin.unsupportedHostname=Unsupported AWS hostname {0}. Amazon domain name in format *.AWS-Region.rds.amazonaws.com or *.rds.AWS-Region.amazonaws.com.cn is expected.
+FederatedAuthPlugin.useCachedIamToken=Use cached IAM token = ''{0}''
+
+# Federated Authentication Connection Plugin Factory
+FederatedAuthPluginFactory.failedToInitializeHttpClient=Failed to initialize HttpClient.
+FederatedAuthPluginFactory.unsupportedIdp=Unsupported Identity Provider {0}. For a list of Identity Providers supported by the FederatedAuthenticationConnectionPlugin, please refer to the documentation.
 
 # HikariPooledConnectionProvider
 HikariPooledConnectionProvider.errorConnectingWithDataSource=Unable to connect to ''{0}'' using the Hikari data source.
diff --git a/wrapper/src/test/build.gradle.kts b/wrapper/src/test/build.gradle.kts
index b52eecc92..e0c1da927 100644
--- a/wrapper/src/test/build.gradle.kts
+++ b/wrapper/src/test/build.gradle.kts
@@ -41,8 +41,9 @@ dependencies {
     testImplementation("com.zaxxer:HikariCP:4.+") // version 4.+ is compatible with Java 8
     testImplementation("org.springframework.boot:spring-boot-starter-jdbc:2.7.13") // 2.7.13 is the last version compatible with Java 8
     testImplementation("org.mockito:mockito-inline:4.11.0") // 4.11.0 is the last version compatible with Java 8
-    testImplementation("software.amazon.awssdk:rds:2.20.49")
     testImplementation("software.amazon.awssdk:ec2:2.20.49")
+    testImplementation("software.amazon.awssdk:rds:2.20.49")
+    testImplementation("software.amazon.awssdk:sts:2.20.49")
     testImplementation("org.testcontainers:testcontainers:1.17.+")
     testImplementation("org.testcontainers:mysql:1.17.+")
     testImplementation("org.testcontainers:postgresql:1.17.+")
diff --git a/wrapper/src/test/java/software/amazon/jdbc/plugin/federatedauth/AdfsCredentialsProviderFactoryTest.java b/wrapper/src/test/java/software/amazon/jdbc/plugin/federatedauth/AdfsCredentialsProviderFactoryTest.java
new file mode 100644
index 000000000..cb7a9835d
--- /dev/null
+++ b/wrapper/src/test/java/software/amazon/jdbc/plugin/federatedauth/AdfsCredentialsProviderFactoryTest.java
@@ -0,0 +1,109 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package software.amazon.jdbc.plugin.federatedauth;
+
+import static org.junit.Assert.assertEquals;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Properties;
+import org.apache.http.HttpEntity;
+import org.apache.http.StatusLine;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.util.EntityUtils;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.ArgumentCaptor;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+import org.testcontainers.shaded.org.apache.commons.io.IOUtils;
+import software.amazon.jdbc.PluginService;
+import software.amazon.jdbc.util.telemetry.TelemetryContext;
+import software.amazon.jdbc.util.telemetry.TelemetryFactory;
+
+class AdfsCredentialsProviderFactoryTest {
+
+  private static final String USERNAME = "someFederatedUsername@teamatlas.example.com";
+  private static final String PASSWORD = "somePassword";
+  @Mock private PluginService mockPluginService;
+  @Mock private TelemetryFactory mockTelemetryFactory;
+  @Mock private TelemetryContext mockTelemetryContext;
+  @Mock private CloseableHttpClient mockHttpClient;
+  @Mock private CloseableHttpResponse mockHttpGetSignInPageResponse;
+  @Mock private CloseableHttpResponse mockHttpPostSignInResponse;
+  @Mock private StatusLine mockStatusLine;
+  @Mock private HttpEntity mockSignInPageHttpEntity;
+  @Mock private HttpEntity mockSamlHttpEntity;
+  private AdfsCredentialsProviderFactory adfsCredentialsProviderFactory;
+  private Properties props;
+
+  @BeforeEach
+  public void init() throws IOException {
+    MockitoAnnotations.openMocks(this);
+
+    this.props = new Properties();
+    this.props.setProperty(FederatedAuthPlugin.IDP_ENDPOINT.name, "ec2amaz-ab3cdef.example.com");
+    this.props.setProperty(FederatedAuthPlugin.IDP_USERNAME.name, USERNAME);
+    this.props.setProperty(FederatedAuthPlugin.IDP_PASSWORD.name, PASSWORD);
+
+    when(mockPluginService.getTelemetryFactory()).thenReturn(mockTelemetryFactory);
+    when(mockTelemetryFactory.openTelemetryContext(any(), any())).thenReturn(mockTelemetryContext);
+    when(mockHttpClient.execute(any(HttpGet.class))).thenReturn(mockHttpGetSignInPageResponse);
+    when(mockHttpGetSignInPageResponse.getStatusLine()).thenReturn(mockStatusLine);
+    when(mockStatusLine.getStatusCode()).thenReturn(200);
+    when(mockHttpGetSignInPageResponse.getEntity()).thenReturn(mockSignInPageHttpEntity);
+
+    String signinPageHtml = IOUtils.toString(
+        this.getClass().getClassLoader().getResourceAsStream("federated_auth/adfs-sign-in-page.html"), "UTF-8");
+    InputStream signInPageHtmlInputStream = new ByteArrayInputStream(signinPageHtml.getBytes());
+    when(mockSignInPageHttpEntity.getContent()).thenReturn(signInPageHtmlInputStream);
+
+    when(mockHttpClient.execute(any(HttpPost.class))).thenReturn(mockHttpPostSignInResponse);
+    when(mockHttpPostSignInResponse.getStatusLine()).thenReturn(mockStatusLine);
+    when(mockHttpPostSignInResponse.getEntity()).thenReturn(mockSamlHttpEntity);
+
+    String adfsSamlHtml = IOUtils.toString(
+        this.getClass().getClassLoader().getResourceAsStream("federated_auth/adfs-saml.html"), "UTF-8");
+    InputStream samlHtmlInputStream = new ByteArrayInputStream(adfsSamlHtml.getBytes());
+    when(mockSamlHttpEntity.getContent()).thenReturn(samlHtmlInputStream);
+
+    this.adfsCredentialsProviderFactory = new AdfsCredentialsProviderFactory(mockPluginService, mockHttpClient);
+  }
+
+  @Test
+  void test() throws IOException {
+    this.adfsCredentialsProviderFactory.getSamlAssertion(props);
+
+    ArgumentCaptor<HttpPost> httpPostArgumentCaptor = ArgumentCaptor.forClass(HttpPost.class);
+    verify(mockHttpClient, times(2)).execute(httpPostArgumentCaptor.capture());
+    HttpPost actualHttpPost = httpPostArgumentCaptor.getValue();
+    String content = EntityUtils.toString(actualHttpPost.getEntity());
+    String[] params = content.split("&");
+    assertEquals("UserName=" + USERNAME.replace("@", "%40"), params[0]);
+    assertEquals("Password=" + PASSWORD, params[1]);
+    assertEquals("Kmsi=true", params[2]);
+    assertEquals("AuthMethod=FormsAuthentication", params[3]);
+  }
+}
diff --git a/wrapper/src/test/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthPluginTest.java b/wrapper/src/test/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthPluginTest.java
new file mode 100644
index 000000000..aeba89aeb
--- /dev/null
+++ b/wrapper/src/test/java/software/amazon/jdbc/plugin/federatedauth/FederatedAuthPluginTest.java
@@ -0,0 +1,167 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package software.amazon.jdbc.plugin.federatedauth;
+
+import static org.junit.Assert.assertEquals;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
+
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.time.Instant;
+import java.util.Properties;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutionException;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.MockitoAnnotations;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.identity.spi.AwsCredentialsIdentity;
+import software.amazon.awssdk.regions.Region;
+import software.amazon.jdbc.HostSpec;
+import software.amazon.jdbc.HostSpecBuilder;
+import software.amazon.jdbc.JdbcCallable;
+import software.amazon.jdbc.PluginService;
+import software.amazon.jdbc.PropertyDefinition;
+import software.amazon.jdbc.dialect.Dialect;
+import software.amazon.jdbc.hostavailability.SimpleHostAvailabilityStrategy;
+import software.amazon.jdbc.util.telemetry.TelemetryContext;
+import software.amazon.jdbc.util.telemetry.TelemetryCounter;
+import software.amazon.jdbc.util.telemetry.TelemetryFactory;
+
+class FederatedAuthPluginTest {
+
+  private static final int DEFAULT_PORT = 1234;
+  private static final String DRIVER_PROTOCOL = "jdbc:postgresql:";
+
+  private static final HostSpec HOST_SPEC = new HostSpecBuilder(new SimpleHostAvailabilityStrategy())
+      .host("pg.testdb.us-east-2.rds.amazonaws.com").build();
+  private static final String TEST_TOKEN = "someTestToken";
+  @Mock private PluginService mockPluginService;
+  @Mock private Dialect mockDialect;
+  @Mock JdbcCallable<Connection, SQLException> mockLambda;
+  @Mock private TelemetryFactory mockTelemetryFactory;
+  @Mock private TelemetryContext mockTelemetryContext;
+  @Mock private TelemetryCounter mockTelemetryCounter;
+  @Mock private CredentialsProviderFactory mockCredentialsProviderFactory;
+  @Mock private AwsCredentialsProvider mockAwsCredentialsProvider;
+  @Mock private CompletableFuture completableFuture;
+  @Mock private AwsCredentialsIdentity mockAwsCredentialsIdentity;
+  private Properties props;
+
+  @BeforeEach
+  public void init() throws ExecutionException, InterruptedException, SQLException {
+    MockitoAnnotations.openMocks(this);
+    props = new Properties();
+    props.setProperty(PropertyDefinition.PLUGINS.name, "federatedAuth");
+    props.setProperty(PropertyDefinition.USER.name, "iamUser");
+    FederatedAuthPlugin.clearCache();
+
+    when(mockPluginService.getDialect()).thenReturn(mockDialect);
+    when(mockDialect.getDefaultPort()).thenReturn(DEFAULT_PORT);
+    when(mockPluginService.getTelemetryFactory()).thenReturn(mockTelemetryFactory);
+    when(mockTelemetryFactory.createCounter(any())).thenReturn(mockTelemetryCounter);
+    when(mockTelemetryFactory.openTelemetryContext(any(), any())).thenReturn(mockTelemetryContext);
+    when(mockCredentialsProviderFactory.getAwsCredentialsProvider(any(), any(), any()))
+        .thenReturn(mockAwsCredentialsProvider);
+    when(mockAwsCredentialsProvider.resolveIdentity()).thenReturn(completableFuture);
+    when(completableFuture.get()).thenReturn(mockAwsCredentialsIdentity);
+  }
+
+  @Test
+  void testCachedToken() throws SQLException {
+    FederatedAuthPlugin plugin =
+        new FederatedAuthPlugin(mockPluginService, mockCredentialsProviderFactory);
+
+    String key = "us-east-2:pg.testdb.us-east-2.rds.amazonaws.com:" + DEFAULT_PORT + ":iamUser";
+    FederatedAuthPlugin.TokenInfo tokenInfo = new FederatedAuthPlugin.TokenInfo(
+        TEST_TOKEN, Instant.now().plusMillis(300000));
+    FederatedAuthPlugin.tokenCache.put(key, tokenInfo);
+
+    plugin.connect(DRIVER_PROTOCOL, HOST_SPEC, props, true, mockLambda);
+
+    assertEquals(TEST_TOKEN, PropertyDefinition.PASSWORD.getString(props));
+  }
+
+  @Test
+  void testExpiredCachedToken() throws SQLException {
+    FederatedAuthPlugin plugin =
+        new FederatedAuthPlugin(mockPluginService, mockCredentialsProviderFactory);
+    FederatedAuthPlugin spyPlugin = Mockito.spy(plugin);
+
+    String key = "us-east-2:pg.testdb.us-east-2.rds.amazonaws.com:" + DEFAULT_PORT + ":iamUser";
+    String someExpiredToken = "someExpiredToken";
+    FederatedAuthPlugin.TokenInfo expiredTokenInfo = new FederatedAuthPlugin.TokenInfo(
+        someExpiredToken, Instant.now().minusMillis(300000));
+    FederatedAuthPlugin.tokenCache.put(key, expiredTokenInfo);
+
+    when(
+        spyPlugin.generateAuthenticationToken(
+            props,
+            HOST_SPEC.getHost(),
+            DEFAULT_PORT,
+            Region.US_EAST_2, mockAwsCredentialsProvider))
+        .thenReturn(TEST_TOKEN);
+
+    spyPlugin.connect(DRIVER_PROTOCOL, HOST_SPEC, props, true, mockLambda);
+    assertEquals(TEST_TOKEN, PropertyDefinition.PASSWORD.getString(props));
+  }
+
+  @Test
+  void testNoCachedToken() throws SQLException {
+    FederatedAuthPlugin plugin =
+        new FederatedAuthPlugin(mockPluginService, mockCredentialsProviderFactory);
+    FederatedAuthPlugin spyPlugin = Mockito.spy(plugin);
+
+    when(
+        spyPlugin.generateAuthenticationToken(
+            props,
+            HOST_SPEC.getHost(),
+            DEFAULT_PORT,
+            Region.US_EAST_2, mockAwsCredentialsProvider))
+        .thenReturn(TEST_TOKEN);
+
+    spyPlugin.connect(DRIVER_PROTOCOL, HOST_SPEC, props, true, mockLambda);
+    assertEquals(TEST_TOKEN, PropertyDefinition.PASSWORD.getString(props));
+  }
+
+  @Test
+  void testSpecifiedIamHostPortRegion() throws SQLException {
+    final String expectedHost = "pg.testdb.us-west-2.rds.amazonaws.com";
+    final int expectedPort = 9876;
+    final Region expectedRegion = Region.US_WEST_2;
+
+    props.setProperty(FederatedAuthPlugin.IAM_HOST.name, expectedHost);
+    props.setProperty(FederatedAuthPlugin.IAM_DEFAULT_PORT.name, String.valueOf(expectedPort));
+    props.setProperty(FederatedAuthPlugin.IAM_REGION.name, expectedRegion.toString());
+
+    final String key = "us-west-2:pg.testdb.us-west-2.rds.amazonaws.com:" + String.valueOf(expectedPort) + ":iamUser";
+    FederatedAuthPlugin.TokenInfo tokenInfo = new FederatedAuthPlugin.TokenInfo(
+        TEST_TOKEN, Instant.now().plusMillis(300000));
+    FederatedAuthPlugin.tokenCache.put(key, tokenInfo);
+
+    FederatedAuthPlugin plugin =
+        new FederatedAuthPlugin(mockPluginService, mockCredentialsProviderFactory);
+
+    plugin.connect(DRIVER_PROTOCOL, HOST_SPEC, props, true, mockLambda);
+
+    assertEquals(TEST_TOKEN, PropertyDefinition.PASSWORD.getString(props));
+  }
+  // test throw if AWS Java SDK for AWS STS not available
+}
diff --git a/wrapper/src/test/resources/federated_auth/adfs-saml.html b/wrapper/src/test/resources/federated_auth/adfs-saml.html
new file mode 100644
index 000000000..6686e3db8
--- /dev/null
+++ b/wrapper/src/test/resources/federated_auth/adfs-saml.html
@@ -0,0 +1 @@
+<html><head><title>Working...</title></head><body><form method="POST" name="hiddenform" action="https://signin.aws.amazon.com:443/saml"><input type="hidden" name="SAMLResponse" value="PHNhbWxwOlJlc3BvbnNlIElEPSJfZTA0NDU0MWYtZGQ5Ni00Mjk3LThlZGYtZjk2MjYxYWI5OTFkIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyMy0xMS0xNVQwODoxNzozOS4wNTBaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zaWduaW4uYXdzLmFtYXpvbi5jb20vc2FtbCIgQ29uc2VudD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNvbnNlbnQ6dW5zcGVjaWZpZWQiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxJc3N1ZXIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly9FQzJBTUFaLUVJNlBTT0oudGVhbWF0bGFzLmV4YW1wbGUuY29tL2FkZnMvc2VydmljZXMvdHJ1c3Q8L0lzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiIC8+PC9zYW1scDpTdGF0dXM+PEFzc2VydGlvbiBJRD0iXzE4NjFkMGIwLTM1YzctNGM3OS1iOWM3LWM4NmM3NWIyZmE4MCIgSXNzdWVJbnN0YW50PSIyMDIzLTExLTE1VDA4OjE3OjM5LjA1MFoiIFZlcnNpb249IjIuMCIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxJc3N1ZXI+aHR0cDovL0VDMkFNQVotRUk2UFNPSi50ZWFtYXRsYXMuZXhhbXBsZS5jb20vYWRmcy9zZXJ2aWNlcy90cnVzdDwvSXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2IiAvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzE4NjFkMGIwLTM1YzctNGM3OS1iOWM3LWM4NmM3NWIyZmE4MCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIiAvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiIC8+PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiIC8+PGRzOkRpZ2VzdFZhbHVlPmZUUjNJRFd5WVlpemFMalBzdlFWYWJGTXAwS2lzN0VZZkZtRXBIUUk2azg9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8+PGRzOlNpZ25hdHVyZVZhbHVlPlp3VHB3emsxcDdQakxzbE5aT09HNHNZOUpCbDRJM2xGWjB6cWVmakQ4c0x1clQvbWd4cnZqeC9Tdis2N2xVUERNNHNNOGprZXZwNGZtMzhrd0wzN2RmUW5DenlQOHpURU45QTdVb1lhTUY0djVOV096MjNBRlE2VE03Mk9yM1M5alZwbjgzclhicDhRN1YxUDN4Yk9WUGZpSTFCM1pGbjNTRkNLTDJhZFpQZG9TV29RN29KTlJkeEl0YW5rek1sYTV3NUxodHBsMnhwS3Z0QTRnTzVYU2hXZEY5bHA0WlZaQWxSRlo5WXROTld6VnBKSVZpZm1sUkEyWS9lbnJNWVRHdjhMSzFOb3diMlpOWCttZUFEUms0NitqS1RIbElQSDJXWkc1NDd0SVJtNzFLSm5NL2wzM2x1L21NVmk4U2RXVSsrQk5FbHBudERsc0kxOUJMYy9qUT09PC9kczpTaWduYXR1cmVWYWx1ZT48S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJRFFEQ0NBaWlnQXdJQkFnSVFFaU5KbWNDckdLQk5Qc2RyMWhjL3p6QU5CZ2txaGtpRzl3MEJBUXNGQURBd01TNHdMQVlEVlFRREV5VkZRekpCVFVGYUxVVkpObEJUVDBvdWRHVmhiV0YwYkdGekxtVjRZVzF3YkdVdVkyOXRNQjRYRFRJek1UQXlOVEl6TlRBeU9Gb1hEVEkwTVRBeU5UQXdNREF3TUZvd01ERXVNQ3dHQTFVRUF4TWxSVU15UVUxQldpMUZTVFpRVTA5S0xuUmxZVzFoZEd4aGN5NWxlR0Z0Y0d4bExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNYzlwaVd0R2ViWW4rUTZRNEo1ZzdwQ2tjQVpiN1RNclRDTU1iNTgrVkxWTzlrZWR3ZXhYZHh6UENkRS9JaFdFQkJQY2dXTFFZWVJudGM3M1FwbEozR09YQVRXUWI2MWNEMDQzY0NLVHNqdVNEVG1Pb2VQU3Y0OG9hVzRvZ3ZCVE53dFdLMC81cVVnWmFFamVhMUl2QjZXak9FVXkzR2NZRDkxYjZoNEtkbGxxRlU4OUhLVlFNZ0RNbjlnZ2hUeVh0aE5aeFRJSWFlZEZQaFdvamkxSFJPMGZ2Tms4Z3JKUkg2c0VBZCtMbzYvdzFJRWtCckh3aXlESkppY3h4L2JXUXJERTM5d0NrekFkUEtvY1JGQk5STjAweUcyWFRLd2tNcnRlWGgrRDBLU3pURWh6RnRmaFRaYURiRzZMc3k1b2s1QmJXaG1VaWVvb1ZTVXcrbmpIY0VDQXdFQUFhTldNRlF3Q3dZRFZSMFBCQVFEQWdRd01CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUJNREFHQTFVZEVRUXBNQ2VDSlVWRE1rRk5RVm90UlVrMlVGTlBTaTUwWldGdFlYUnNZWE11WlhoaGJYQnNaUzVqYjIwd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFKZlVYbXhBUzNsd3Fwb1QwTmk5T2JWTlRGTXEwSXBGd2hjeXZDOVZPQXcrbTZDalc4SS9OT0gzbjhRZkJ5T2g3eGpyRjdYZjRNWFkycU1td1lRYVBDSjlnNjIyeHYxeGZvUlZPVWNMZlJ5UDFydjl1L3Nqc25mMCtOUW1VcERNVUZWMkJyNjZ1SGJuand1SnhUdTllaHRrTjdpQ0ZndGdCOWhNcVdDTDY1TFA4VnVZZ3JLQTB2Q2RmWlJEMmwyWHB4UjNuSzF4RThGa3hvd1ZQRElERkFNSks3ZzFaSW5rMmNWZGN2TWxqUzAwOHRXT3VEU1JwdTI3WVpEaVVSaDB1Wk9CTFA3cEd2d2xxTHRjaTh5bXpCRkNncU9iNit0TkhkcVlwR3lUdlJRMDgyb0c0M01hdjdrRE5UREdUUS9CaHprZ3R5VzRSZmp4MWRCUGpod1hOS0k9PC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L0tleUluZm8+PC9kczpTaWduYXR1cmU+PFN1YmplY3Q+PE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiPnRlYW1hdGxhc1xhZG1pbjwvTmFtZUlEPjxTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PFN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAyMy0xMS0xNVQwODoyMjozOS4wNTBaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc2lnbmluLmF3cy5hbWF6b24uY29tL3NhbWwiIC8+PC9TdWJqZWN0Q29uZmlybWF0aW9uPjwvU3ViamVjdD48Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMjMtMTEtMTVUMDg6MTc6MzkuMDQzWiIgTm90T25PckFmdGVyPSIyMDIzLTExLTE1VDA5OjE3OjM5LjA0M1oiPjxBdWRpZW5jZVJlc3RyaWN0aW9uPjxBdWRpZW5jZT51cm46YW1hem9uOndlYnNlcnZpY2VzPC9BdWRpZW5jZT48L0F1ZGllbmNlUmVzdHJpY3Rpb24+PC9Db25kaXRpb25zPjxBdHRyaWJ1dGVTdGF0ZW1lbnQ+PEF0dHJpYnV0ZSBOYW1lPSJodHRwczovL2F3cy5hbWF6b24uY29tL1NBTUwvQXR0cmlidXRlcy9Sb2xlIj48QXR0cmlidXRlVmFsdWU+YXJuOmF3czppYW06OjM0NjU1ODE4NDg4MjpzYW1sLXByb3ZpZGVyL2FkZnNfdGVhbWF0bGFzX2V4YW1wbGUsYXJuOmF3czppYW06OjM0NjU1ODE4NDg4Mjpyb2xlL2FkZnNfdGVhbWF0bGFzX2V4YW1wbGVfaWFtX3JvbGU8L0F0dHJpYnV0ZVZhbHVlPjwvQXR0cmlidXRlPjxBdHRyaWJ1dGUgTmFtZT0iaHR0cHM6Ly9hd3MuYW1hem9uLmNvbS9TQU1ML0F0dHJpYnV0ZXMvUm9sZVNlc3Npb25OYW1lIj48QXR0cmlidXRlVmFsdWU+QWRtaW48L0F0dHJpYnV0ZVZhbHVlPjwvQXR0cmlidXRlPjwvQXR0cmlidXRlU3RhdGVtZW50PjxBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMjMtMTEtMTVUMDg6MTQ6MjMuMTM5WiIgU2Vzc2lvbkluZGV4PSJfMTg2MWQwYjAtMzVjNy00Yzc5LWI5YzctYzg2Yzc1YjJmYTgwIj48QXV0aG5Db250ZXh0PjxBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydDwvQXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9BdXRobkNvbnRleHQ+PC9BdXRoblN0YXRlbWVudD48L0Fzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==" /><noscript><p>Script is disabled. Click Submit to continue.</p><input type="submit" value="Submit" /></noscript></form><script language="javascript">window.setTimeout('document.forms[0].submit()', 0);</script></body></html>
diff --git a/wrapper/src/test/resources/federated_auth/adfs-sign-in-page.html b/wrapper/src/test/resources/federated_auth/adfs-sign-in-page.html
new file mode 100644
index 000000000..0b06f6dda
--- /dev/null
+++ b/wrapper/src/test/resources/federated_auth/adfs-sign-in-page.html
@@ -0,0 +1,613 @@
+<!DOCTYPE html>
+<html lang="en-US">
+<head>
+    <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=1"/>
+    <meta http-equiv="content-type" content="text/html;charset=UTF-8" />
+    <meta http-equiv="cache-control" content="no-cache,no-store"/>
+    <meta http-equiv="pragma" content="no-cache"/>
+    <meta http-equiv="expires" content="-1"/>
+    <meta name='mswebdialog-title' content='Connecting to EC2AMAZ-AB3CDEF.example.com'/>
+
+    <title>Sign In</title>
+    <script type='text/javascript'>
+//<![CDATA[
+function LoginErrors(){this.userNameFormatError = 'Enter your user ID in the format \u0026quot;domain\\user\u0026quot; or \u0026quot;user@domain\u0026quot;.'; this.passwordEmpty = 'Enter your password.'; this.passwordTooLong = 'Password is too long (\u0026gt; 128 characters).';}; var maxPasswordLength = 128;
+//]]>
+</script>
+
+    <script type='text/javascript'>
+//<![CDATA[
+// Copyright (c) Microsoft Corporation.  All rights reserved.
+function InputUtil(errTextElementID, errDisplayElementID) {
+
+    if (!errTextElementID)  errTextElementID = 'errorText';
+    if (!errDisplayElementID)  errDisplayElementID = 'error';
+
+    this.hasFocus = false;
+    this.errLabel = document.getElementById(errTextElementID);
+    this.errDisplay = document.getElementById(errDisplayElementID);
+};
+InputUtil.prototype.canDisplayError = function () {
+    return this.errLabel && this.errDisplay;
+}
+InputUtil.prototype.checkError = function () {
+    if (!this.canDisplayError){
+        throw new Error ('Error element not present');
+    }
+    if (this.errLabel && this.errLabel.innerHTML) {
+        this.errDisplay.style.display = '';
+        var cause = this.errLabel.getAttribute('for');
+        if (cause) {
+            var causeNode = document.getElementById(cause);
+            if (causeNode && causeNode.value) {
+                causeNode.focus();
+                this.hasFocus = true;
+            }
+        }
+    }
+    else {
+        this.errDisplay.style.display = 'none';
+    }
+};
+InputUtil.prototype.setInitialFocus = function (input) {
+    if (this.hasFocus) return;
+    var node = document.getElementById(input);
+    if (node) {
+        if ((/^\s*$/).test(node.value)) {
+            node.focus();
+            this.hasFocus = true;
+        }
+    }
+};
+InputUtil.prototype.setError = function (input, errorMsg) {
+    if (!this.canDisplayError) {
+        throw new Error('Error element not present');
+    }
+    input.focus();
+
+    if (errorMsg) {
+        this.errLabel.innerHTML = errorMsg;
+    }
+    this.errLabel.setAttribute('for', input.id);
+    this.errDisplay.style.display = '';
+};
+InputUtil.makePlaceholder = function (input) {
+    var ua = navigator.userAgent;
+
+    if (ua != null &&
+        (ua.match(/MSIE 9.0/) != null ||
+         ua.match(/MSIE 8.0/) != null ||
+         ua.match(/MSIE 7.0/) != null)) {
+        var node = document.getElementById(input);
+        if (node) {
+            var placeholder = node.getAttribute("placeholder");
+            if (placeholder != null && placeholder != '') {
+                var label = document.createElement('input');
+                label.type = "text";
+                label.value = placeholder;
+                label.readOnly = true;
+                label.style.position = 'absolute';
+                label.style.borderColor = 'transparent';
+                label.className = node.className + ' hint';
+                label.tabIndex = -1;
+                label.onfocus = function () { this.nextSibling.focus(); };
+
+                node.style.position = 'relative';
+                node.parentNode.style.position = 'relative';
+                node.parentNode.insertBefore(label, node);
+                node.onkeyup = function () { InputUtil.showHint(this); };
+                node.onblur = function () { InputUtil.showHint(this); };
+                node.style.background = 'transparent';
+
+                node.setAttribute("placeholder", "");
+                InputUtil.showHint(node);
+            }
+        }
+    }
+};
+InputUtil.focus = function (inputField) {
+    var node = document.getElementById(inputField);
+    if (node) node.focus();
+};
+InputUtil.hasClass = function(node, clsName) {
+    return node.className.match(new RegExp('(\\s|^)' + clsName + '(\\s|$)'));
+};
+InputUtil.addClass = function(node, clsName) {
+    if (!this.hasClass(node, clsName)) node.className += " " + clsName;
+};
+InputUtil.removeClass = function(node, clsName) {
+    if (this.hasClass(node, clsName)) {
+        var reg = new RegExp('(\\s|^)' + clsName + '(\\s|$)');
+        node.className = node.className.replace(reg, ' ');
+    }
+};
+InputUtil.showHint = function (node, gotFocus) {
+    if (node.value && node.value != '') {
+        node.previousSibling.style.display = 'none';
+    }
+    else {
+        node.previousSibling.style.display = '';
+    }
+};
+InputUtil.updatePlaceholder = function (input, placeholderText) {
+    var node = document.getElementById(input);
+    if (node) {
+        var ua = navigator.userAgent;
+        if (ua != null &&
+            (ua.match(/MSIE 9.0/) != null ||
+            ua.match(/MSIE 8.0/) != null ||
+            ua.match(/MSIE 7.0/) != null)) {
+            var label = node.previousSibling;
+            if (label != null) {
+                label.value = placeholderText;
+            }
+        }
+        else {
+            node.placeholder = placeholderText;
+        }
+    }
+};
+
+//]]>
+</script>
+
+
+
+    <link rel="stylesheet" type="text/css" href="/adfs/portal/css/style.css?id=3B1A0C704CDAE8ECD48AA8F0D50409D981CEF21D7AE6DC85B0797D270101B151" /><style>.illustrationClass {background-image:url(/adfs/portal/illustration/illustration.png?id=183128A3C941EDE3D9199FA37D6AA90E0A7DFE101B37D10B4FEDA0CF35E11AFD);}</style>
+
+</head>
+<body dir="ltr" class="body">
+<div id="noScript" style="position:static; width:100%; height:100%; z-index:100">
+    <h1>JavaScript required</h1>
+    <p>JavaScript is required. This web browser does not support JavaScript or JavaScript in this web browser is not enabled.</p>
+    <p>To find out if your web browser supports JavaScript or to enable JavaScript, see web browser help.</p>
+</div>
+<script type="text/javascript" language="JavaScript">
+         document.getElementById("noScript").style.display = "none";
+    </script>
+<div id="fullPage">
+    <div id="brandingWrapper" class="float">
+        <div id="branding"></div>
+    </div>
+    <div id="contentWrapper" class="float">
+        <div id="content">
+            <div id="header">
+                <h4>EC2AMAZ-AB3CDEF.example.com</h4>
+            </div>
+            <main>
+                <div id="workArea">
+
+                    <div id="authArea" class="groupMargin">
+
+
+
+                        <div id="loginArea">
+                            <div id="loginMessage" class="groupMargin">Sign in</div>
+
+                            <form method="post" id="loginForm" autocomplete="off" novalidate="novalidate" onKeyPress="if (event && event.keyCode == 13) Login.submitLoginRequest();" action="/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices&client-request-id=bdfdf240-41c5-4684-ac03-0080010000e8" >
+                                <div id="error" class="fieldMargin error smallText">
+                                    <span id="errorText" for="" aria-live="assertive" role="alert"></span>
+                                </div>
+
+                                <div id="formsAuthenticationArea">
+                                    <div id="userNameArea">
+                                        <label id="userNameInputLabel" for="userNameInput" class="hidden">User Account</label>
+                                        <input id="userNameInput" name="UserName" type="email" value="" tabindex="1" class="text fullWidth"
+                                               spellcheck="false" placeholder="someone@example.com" autocomplete="off"/>
+                                    </div>
+
+                                    <div id="passwordArea">
+                                        <label id="passwordInputLabel" for="passwordInput" class="hidden">Password</label>
+                                        <input id="passwordInput" name="Password" type="password" tabindex="2" class="text fullWidth"
+                                               placeholder="Password" autocomplete="off"/>
+                                    </div>
+                                    <div id="kmsiArea" style="display:none">
+                                        <input type="checkbox" name="Kmsi" id="kmsiInput" value="true" tabindex="3" />
+                                        <label for="kmsiInput">Keep me signed in</label>
+                                    </div>
+                                    <div id="submissionArea" class="submitMargin">
+                    <span id="submitButton" class="submit" tabindex="4" role="button"
+                          onKeyPress="if (event && event.keyCode == 32) Login.submitLoginRequest();"
+                          onclick="return Login.submitLoginRequest();">Sign in</span>
+                                    </div>
+                                </div>
+                                <input id="optionForms" type="hidden" name="AuthMethod" value="FormsAuthentication"/>
+                            </form>
+
+                            <div id="authOptions">
+                                <form id="options" method="post" action="https://ec2amaz-ab3cdef.example.com:443/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices&client-request-id=bdfdf240-41c5-4684-ac03-0080010000e8">
+                                    <script type="text/javascript">
+                function SelectOption(option) {
+                    var w = document.getElementById('waitingWheelDiv');
+                    if(w) w.style.display = 'inline';
+                    var i = document.getElementById('optionSelection');
+                    i.value = option;
+                    document.forms['options'].submit();
+                    return false;
+                }
+             </script>
+                                    <input id="optionSelection" type="hidden" name="AuthMethod" />
+                                    <input id="userNameInputOptionsHolder" name="UserName" value="" type="hidden"/>
+                                    <div id='authOptionLinks' class='groupMargin'><div id="waitingWheelDiv" style="display: none;"><div id="WaitingWheel">
+                                        <!-- NOTE: This style portion is identical to cookie pull page, they are not in shared css file because of legacy dependancies for custom themes-->
+                                        <!-- CSS for small "waiting" wheel -->
+                                        <style>
+        #floatingCirclesG {
+            position: relative;
+            width: 125px;
+            height: 125px;
+            margin: auto;
+            transform: scale(0.4);
+            -o-transform: scale(0.4);
+            -ms-transform: scale(0.4);
+            -webkit-transform: scale(0.4);
+            -moz-transform: scale(0.4);
+        }
+
+        .f_circleG {
+            position: absolute;
+            height: 22px;
+            width: 22px;
+            border-radius: 12px;
+            -o-border-radius: 12px;
+            -ms-border-radius: 12px;
+            -webkit-border-radius: 12px;
+            -moz-border-radius: 12px;
+            animation-name: f_fadeG;
+            -o-animation-name: f_fadeG;
+            -ms-animation-name: f_fadeG;
+            -webkit-animation-name: f_fadeG;
+            -moz-animation-name: f_fadeG;
+            animation-duration: 1.2s;
+            -o-animation-duration: 1.2s;
+            -ms-animation-duration: 1.2s;
+            -webkit-animation-duration: 1.2s;
+            -moz-animation-duration: 1.2s;
+            animation-iteration-count: infinite;
+            -o-animation-iteration-count: infinite;
+            -ms-animation-iteration-count: infinite;
+            -webkit-animation-iteration-count: infinite;
+            -moz-animation-iteration-count: infinite;
+            animation-direction: normal;
+            -o-animation-direction: normal;
+            -ms-animation-direction: normal;
+            -webkit-animation-direction: normal;
+            -moz-animation-direction: normal;
+        }
+
+        #frotateG_01 {
+            left: 0;
+            top: 51px;
+            animation-delay: 0.45s;
+            -o-animation-delay: 0.45s;
+            -ms-animation-delay: 0.45s;
+            -webkit-animation-delay: 0.45s;
+            -moz-animation-delay: 0.45s;
+        }
+
+        #frotateG_02 {
+            left: 15px;
+            top: 15px;
+            animation-delay: 0.6s;
+            -o-animation-delay: 0.6s;
+            -ms-animation-delay: 0.6s;
+            -webkit-animation-delay: 0.6s;
+            -moz-animation-delay: 0.6s;
+        }
+
+        #frotateG_03 {
+            left: 51px;
+            top: 0;
+            animation-delay: 0.75s;
+            -o-animation-delay: 0.75s;
+            -ms-animation-delay: 0.75s;
+            -webkit-animation-delay: 0.75s;
+            -moz-animation-delay: 0.75s;
+        }
+
+        #frotateG_04 {
+            right: 15px;
+            top: 15px;
+            animation-delay: 0.9s;
+            -o-animation-delay: 0.9s;
+            -ms-animation-delay: 0.9s;
+            -webkit-animation-delay: 0.9s;
+            -moz-animation-delay: 0.9s;
+        }
+
+        #frotateG_05 {
+            right: 0;
+            top: 51px;
+            animation-delay: 1.05s;
+            -o-animation-delay: 1.05s;
+            -ms-animation-delay: 1.05s;
+            -webkit-animation-delay: 1.05s;
+            -moz-animation-delay: 1.05s;
+        }
+
+        #frotateG_06 {
+            right: 15px;
+            bottom: 15px;
+            animation-delay: 1.2s;
+            -o-animation-delay: 1.2s;
+            -ms-animation-delay: 1.2s;
+            -webkit-animation-delay: 1.2s;
+            -moz-animation-delay: 1.2s;
+        }
+
+        #frotateG_07 {
+            left: 51px;
+            bottom: 0;
+            animation-delay: 1.35s;
+            -o-animation-delay: 1.35s;
+            -ms-animation-delay: 1.35s;
+            -webkit-animation-delay: 1.35s;
+            -moz-animation-delay: 1.35s;
+        }
+
+        #frotateG_08 {
+            left: 15px;
+            bottom: 15px;
+            animation-delay: 1.5s;
+            -o-animation-delay: 1.5s;
+            -ms-animation-delay: 1.5s;
+            -webkit-animation-delay: 1.5s;
+            -moz-animation-delay: 1.5s;
+        }
+
+        @keyframes f_fadeG {
+            0% {
+                background-color: rgb(47, 146, 212);
+            }
+
+            100% {
+                background-color: rgb(255, 255, 255);
+            }
+        }
+
+        @-o-keyframes f_fadeG {
+            0% {
+                background-color: rgb(47, 146, 212);
+            }
+
+            100% {
+                background-color: rgb(255, 255, 255);
+            }
+        }
+
+        @-ms-keyframes f_fadeG {
+            0% {
+                background-color: rgb(47, 146, 212);
+            }
+
+            100% {
+                background-color: rgb(255, 255, 255);
+            }
+        }
+
+        @-webkit-keyframes f_fadeG {
+            0% {
+                background-color: rgb(47, 146, 212);
+            }
+
+            100% {
+                background-color: rgb(255, 255, 255);
+            }
+        }
+
+        @-moz-keyframes f_fadeG {
+            0% {
+                background-color: rgb(47, 146, 212);
+            }
+
+            100% {
+                background-color: rgb(255, 255, 255);
+            }
+        }
+    </style>
+
+                                        <!-- Div containing small "waiting" wheel -->
+                                        <div id="floatingCirclesG">
+                                            <div class="f_circleG" id="frotateG_01"></div>
+                                            <div class="f_circleG" id="frotateG_02"></div>
+                                            <div class="f_circleG" id="frotateG_03"></div>
+                                            <div class="f_circleG" id="frotateG_04"></div>
+                                            <div class="f_circleG" id="frotateG_05"></div>
+                                            <div class="f_circleG" id="frotateG_06"></div>
+                                            <div class="f_circleG" id="frotateG_07"></div>
+                                            <div class="f_circleG" id="frotateG_08"></div>
+                                        </div>
+                                    </div></div></div>
+                                </form>
+                            </div>
+
+                            <div id="introduction" class="groupMargin">
+
+                            </div>
+
+                            <script type="text/javascript">
+        //<![CDATA[
+
+            function Login() {
+            }
+
+            Login.userNameInput = 'userNameInput';
+            Login.passwordInput = 'passwordInput';
+
+            Login.initialize = function () {
+
+                var u = new InputUtil();
+
+                u.checkError();
+                u.setInitialFocus(Login.userNameInput);
+                u.setInitialFocus(Login.passwordInput);
+            }();
+
+            Login.submitLoginRequest = function () {
+                var u = new InputUtil();
+                var e = new LoginErrors();
+
+                var userName = document.getElementById(Login.userNameInput);
+                var password = document.getElementById(Login.passwordInput);
+
+                if (!userName.value || !userName.value.match('[@\\\\]')) {
+                    u.setError(userName, e.userNameFormatError);
+                    return false;
+                }
+
+                if (!password.value) {
+                    u.setError(password, e.passwordEmpty);
+                    return false;
+                }
+
+                if (password.value.length > maxPasswordLength) {
+                    u.setError(password, e.passwordTooLong);
+                    return false;
+                }
+
+                document.forms['loginForm'].submit();
+                return false;
+            };
+
+            InputUtil.makePlaceholder(Login.userNameInput);
+            InputUtil.makePlaceholder(Login.passwordInput);
+        //]]>
+        </script>
+                        </div>
+
+                    </div>
+
+                </div>
+            </main>
+            <div id="footerPlaceholder"></div>
+        </div>
+        <footer id="footer">
+            <div id="footerLinks" class="floatReverse">
+                <div><span id="copyright">&#169; 2018 Microsoft</span></div>
+            </div>
+        </footer>
+    </div>
+</div>
+<script type='text/javascript'>
+//<![CDATA[
+// Copyright (c) Microsoft Corporation.  All rights reserved.
+
+// This file contains several workarounds on inconsistent browser behaviors that administrators may customize.
+"use strict";
+
+// iPhone email friendly keyboard does not include "\" key, use regular keyboard instead.
+// Note change input type does not work on all versions of all browsers.
+if (navigator.userAgent.match(/iPhone/i) != null) {
+    var emails = document.querySelectorAll("input[type='email']");
+    if (emails) {
+        for (var i = 0; i < emails.length; i++) {
+            emails[i].type = 'text';
+        }
+    }
+}
+
+// In the CSS file we set the ms-viewport to be consistent with the device dimensions,
+// which is necessary for correct functionality of immersive IE.
+// However, for Windows 8 phone we need to reset the ms-viewport's dimension to its original
+// values (auto), otherwise the viewport dimensions will be wrong for Windows 8 phone.
+// Windows 8 phone has agent string 'IEMobile 10.0'
+if (navigator.userAgent.match(/IEMobile\/10\.0/)) {
+    var msViewportStyle = document.createElement("style");
+    msViewportStyle.appendChild(
+        document.createTextNode(
+            "@-ms-viewport{width:auto!important}"
+        )
+    );
+    msViewportStyle.appendChild(
+        document.createTextNode(
+            "@-ms-viewport{height:auto!important}"
+        )
+    );
+    document.getElementsByTagName("head")[0].appendChild(msViewportStyle);
+}
+
+// If the innerWidth is defined, use it as the viewport width.
+if (window.innerWidth && window.outerWidth && window.innerWidth !== window.outerWidth) {
+    var viewport = document.querySelector("meta[name=viewport]");
+    viewport.setAttribute('content', 'width=' + window.innerWidth + ', initial-scale=1.0, user-scalable=1');
+}
+
+// Gets the current style of a specific property for a specific element.
+function getStyle(element, styleProp) {
+    var propStyle = null;
+
+    if (element && element.currentStyle) {
+        propStyle = element.currentStyle[styleProp];
+    }
+    else if (element && window.getComputedStyle) {
+        propStyle = document.defaultView.getComputedStyle(element, null).getPropertyValue(styleProp);
+    }
+
+    return propStyle;
+}
+
+// The script below is used for downloading the illustration image
+// only when the branding is displaying. This script work together
+// with the code in PageBase.cs that sets the html inline style
+// containing the class 'illustrationClass' with the background image.
+var computeLoadIllustration = function () {
+    var branding = document.getElementById("branding");
+    var brandingDisplay = getStyle(branding, "display");
+    var brandingWrapperDisplay = getStyle(document.getElementById("brandingWrapper"), "display");
+
+    if (brandingDisplay && brandingDisplay !== "none" &&
+        brandingWrapperDisplay && brandingWrapperDisplay !== "none") {
+        var newClass = "illustrationClass";
+
+        if (branding.classList && branding.classList.add) {
+            branding.classList.add(newClass);
+        } else if (branding.className !== undefined) {
+            branding.className += " " + newClass;
+        }
+        if (window.removeEventListener) {
+            window.removeEventListener('load', computeLoadIllustration, false);
+            window.removeEventListener('resize', computeLoadIllustration, false);
+        }
+        else if (window.detachEvent) {
+            window.detachEvent('onload', computeLoadIllustration);
+            window.detachEvent('onresize', computeLoadIllustration);
+        }
+    }
+};
+
+if (window.addEventListener) {
+    window.addEventListener('resize', computeLoadIllustration, false);
+    window.addEventListener('load', computeLoadIllustration, false);
+}
+else if (window.attachEvent) {
+    window.attachEvent('onresize', computeLoadIllustration);
+    window.attachEvent('onload', computeLoadIllustration);
+}
+
+// Function to change illustration image. Usage example below.
+function SetIllustrationImage(imageUri) {
+    var illustrationImageClass = '.illustrationClass {background-image:url(' + imageUri + ');}';
+
+    var css = document.createElement('style');
+    css.type = 'text/css';
+
+    if (css.styleSheet) css.styleSheet.cssText = illustrationImageClass;
+    else css.appendChild(document.createTextNode(illustrationImageClass));
+
+    document.getElementsByTagName("head")[0].appendChild(css);
+}
+
+// Example to change illustration image on HRD page after adding the image to active theme:
+// PSH> Set-AdfsWebTheme -TargetName <activeTheme> -AdditionalFileResource @{uri='/adfs/portal/images/hrd.jpg';path='.\hrd.jpg'}
+//
+//if (typeof HRD != 'undefined') {
+//    SetIllustrationImage('/adfs/portal/images/hrd.jpg');
+//}
+//]]>
+</script>
+
+
+</body>
+</html>
+