...
When issuing tokens, they will be encrypted from the public key of the trusted relying party. Accordingly, even the client who obtains the token to send to the RP has no visibility to the included token.
5. Now, let's apply security to the STS. You must provideĀ UsernameToken-based security, which means that the client should have a valid user account with the Identity Server to obtain a token from the STS.
6. Click on the "Apply Security Policy" link to configure security and go through the wizard.
7. Configure security and go through the wizard.
7.1. Select "UsernameToken" from the "Security Scenario" list.
7.2. Choose "everyone" from the "User Groups" list.
...