STS stands for The Security Token Service (STS) is deployed by default in the Data Services Server. You can see this by selecting Services > List menu and viewing the Deployed Services page. A security token service implements the protocol defined according to the WS-Trust specification. WS-Trust specification defines message formats and message exchange patterns for issuing, renewing, canceling and validating security tokens. A given security token service provides one or more of these capabilities. The client interacts with the STS to get any of the above functionalities done; namely, issuing, renewing, canceling and validating security tokensfunctions done.
A security token is an XML payload as requested by the relying party service. If it is a SAML token, then it represents a collection of claims in the form of Assertions. A claim is a statement made about a client, service or another resource (e.g., name, identity, key, group, privilege, capability, etc.) A client who need needs to access a service which that requires a security token issued from a specific token issuer [STS] should provide a security token issued from the specified token provider. Any service can state in its service policy , what claims it requires in order to be granted access. The client needs those claims fulfilled in the security token. For example, the service can state in simple language, "if you want to access me, you should have your request First Name, Last Name and the Age in the security token . If not access will be denied."in order to access it.
In summery, a security token is issued by the STS with the claims required by the service.
...
Interaction between the client and the STS
...
The interaction between a client who wants to access a service and the STS is given in the example below.
- Client wants to access service A.
- Service A requests a security token with the clients client's name and age to grant him access.
- The the client requests a security token from the STS.
- The STS requests the client to validate his/her identity via username token.
- The client provides his username/password.
- The STS recognizes the client and provides a token.
- The client presents the security token to the service and gains access to it.
...
A security token service issues tokens only to client clients it trusts. Trusted relationship relationships between the client and the STS can be established via user name/password, certificates or any other means defined by the STS. The STS communicates the form of trust relationship via its security policy as per WS-Security Policypolicy.
For example, an STS can enforce all its clients to sign the Request for the Security Token [RST] or else prove themselves via UsernameToken (that is user name / password). First, the client prepares the RST (the Request according to the terminology defined in the WS-Trust specification) and sends a web Web service request, secured to be compliant with the security policy of the STS. This RST also includes the required claims for the response or the security token. It also includes:
- The end point reference (EPR) of the service , where the client uses this token.
- The desired valid time for the expecting security token.
- Token type of the expecting security token (SAML 1.1 / SAML 2.0)and more etc.
Once a client sends the RST to the STS, the STS first checks the authenticity of the requester by validating the request against the defined security policy of the STS. It then starts preparing the security token (Request Security Token Response). The STS includes all the requested claims and signs the token with its private key. It then finds the public certificate of the service to which this token will be sent by the client and encrypts the token with the certificate. The encrypted security token is opaque to the client.
...