Running CA Access Gateway (SPS), and after configuring WS-Federation, the endpoints

  https://<access_gateway>/<partnership_name>/?WSDL 
  https://<access_gateway>/<partnership_name>/app

aren't working.

How to configure STS in the server.conf, without using ProxyUI?

The STS configuration "STS IWA Configuration" brought in the ProxyUI is written in login.conf (1):

/{home_sps}/proxy-engine/conf/sts-config/globalconfig/login.conf:

  /****
      Login.conf
      keytab: Path to the Keytab file. Keytab is the file containing pairs of Kerberos principals
      and encrypted keys (these are derived from the Kerberos password).
      This file is used to log into KDC without being prompted for a password.
      principal: The SPN value. A service principal name (SPN) is the name by 
      which a client uniquely identifies an instance of a service.
      An example of an SPN is HTTP/host.abc.com, where HTTP is the name of the service 
      and host.abc.com is the name of the host on which the service resides.
  ****/
   com.sun.security.jgss.krb5.initiate {
                com.sun.security.auth.module.Krb5LoginModule
  required useTicketCache=true;
  };

  com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required 
  storeKey=true
  isInitiator=false
  /****
        keyTab is <Path to user keytab e.g. "C:\\kerbuser.keytab">
  ***/
  keyTab="/etc/krb5.conf"
  /****
       principal  is < principal name e.g. "HTTP/kerbserver.EXAMPLE.COM">

  ****/
  principal="HTTP/sts.example.com"
  useKeyTab=true
  debug=false;
  };

and the STS service is defined here:

server.conf

[...omitted for brevity...]

  <Context name="sts-sps" type="STS">

  docBase="sts-sps"
  path="/<app_path>"
  enable="yes"
  </Context>
  </Contexts>

After the changes, restart the CA Access Gateway (SPS).
  

1. Deploy STS