Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

WSO2 Identity Server uses the security token service (STS) as the WS-Trust implementation. The STS is capable of issuing SAML 1.1 and 2.0 security tokens and has a SOAP/XML API for token issuance. This API can be secured with the UserNameToken or with any other WS-Security mechanism as explained below. 

Securing the Security Token Service

According to the Trust Brokering model defined in the WS-Trust specification, the users should authenticate themselves to the STS before obtaining a token. STS may use this authentication information when constructing the security token. For example, STS may populate the required claims based on the user name provided by the subject. Therefore, the STS service needs to be secured.

STS is configured under the Resident Identity Provider section of the WSO2 Identity Server Management Console

...

To secure the Security Token Service

...

:  

  1. On the Main tab, click Identity > Identity Providers > Resident
    Image Added
    The Resident Identity Provider page appears.
    Image Added

  2. Enter the required values as given below.

    FieldDescriptionSample Value
    Home Realm IdentifierThis is the domain name of the identity provider. If you do not enter a value here, when an authentication request comes to WSO2 Identity Server, a user will be prompted to specify a domain. You can enter multiple identifiers as a comma-separated list.localhost
    Idle Session Time OutThis is the duration in minutes for which an SSO session can be idle for. If WSO2 Identity Server does not receive any SSO authentication requests for the given duration, a session time out occurs. The default value is 15.15
    Remember Me Period

    This is the duration in weeks for which WSO2 Identity Server should remember an SSO session given that the Remember Me option is selected in the WSO2 Identity Server login screen.

    The default value is 2 weeks.

    2
  3. Under the Inbound Authentication Configuration section, click Security Token Service Configuration > Apply Security Policy.
    Image Added
  4. Select Yes in the Enable Security? dropdown drop down and  select a pre-configured security scenario according to your requirements. In  For this casetutorial, we will use  UsernameToken  under   the  Basic Scenarios  section. 

    Note

    You can find further details about security policy scenarios from the view scenario option.

  5. Click Next. The user domain and user group selection appears.

    Info

    Next steps may vary as per the security scenario that you have chosen under point (5) above. Below is for UsernameToken scenario.

  6. Provide the required details as follows:
    1. Select ALL-USER-STORE-DOMAINS
     from the drop-down
    1. .
    In the resulting page, select
    1. Select the role you created to grant permission to access secured service. In this example, the admin role is used. Next, click Finish.

      Note

      The Select Domain drop-down lists many domains. The listed User Groups can vary depending on the domain selected.

    Image Removed
    1. Image Added

  7. Click Finish.
  8. Click Ok on the confirmation dialog window that appears.
  9. Click Update to complete the process.

...

Do the following steps if you are using a Holder of Key subject confirmation method. See For more information, see Configuring STS for Obtaining Tokens with Holder-Of-Key Subject Confirmation for more information.

Info

The Subject confirmation methods define how a relying party (RP), which is the end service can make sure a particular security token issued by an STS is brought by the legitimate subject. If this is not done, a third party can take the token from the wire and send any request it wants including that token. The RP trusts that illegitimate party.

  1. See Configuring a Service Provider for details on adding a service provider. 
  2. Expand Under the Inbound Authentication Authenticatino Configuration section and the , click WS-Trust Security Token Service Configuration section. Click Configure > Configure. The STS Configuration page appears.
    Image Removed Image Added
  3. In the resulting screen, enter Enter the required details as given below. 

    FieldDescriptionSample Value
    Endpoint Address


    Enter the trusted relying party's endpoint address

    that

    , which is the endpoint address of the Security Token Service. For more information, see Broker Trust Relationship with WSO2 Identity Server

     and upload the public certificate of the trusted relying party

    info

    You need to add the certificate of the relying party to the truststore. For more information on how to create the certificate and add it to the truststore, see here.

    The endpoint must be used as the service URL to which the token gets delivered by the STS client. Then select the public certificate imported. Tokens issued are encrypted using the public certificate of the trusted relying party. Therefore, the consumer who obtains this token, to invoke the RP service,

    won't

    will not be able to see the token. 


    Image Removed

    Note

    Make sure to upload the certificate of the relying party to the truststore. For instructions, see Adding CA-signed ceritificates to keystores.



    https://localhost:9444/services/echo
    Certificate AliasThis is the alias of the certificate.wso2carbon

    Image Added

  4. Click Update to save the changes made to the service provider.

    Panel
    titleRelated Topics

    Run the STS client after configuring the service provider. See Running an STS Client to try For instructions on trying out a sample STS client, see Running an STS Client.