Versions Compared

Old Version 22

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Securing the Security Token Service

According to the Trust Brokering model defined in the WS-Trust specification, the users should authenticate themselves to the STS before obtaining a token. STS may use this authentication information when constructing the security token. For example, STS may populate the required claims based on the user name provided by the subject. Therefore, the STS service needs to be secured.

...

STS is configured under the Resident Identity Provider section of the WSO2 Identity Server Management ConsoleFollow the instructions below , to secure the Security Token Service by login logging into the management console.

...

  1. Log in as an admin to access the management console.
  2. Configure the Resident Identity Provider. See here for more detailed information on how to do this.
  3. In the Resident Identity Provider page, expand the Inbound Authentication Configuration section along with the Security Token Service Configuration section.
  4. Click Apply Security Policy.

  5. Select Yes in the Enable Security? dropdown and select a preconfigured pre-configured security scenario according to your requirements. In this case, we will use UsernameToken under the Basic Scenarios section. 

    Note

    You can find further details about security policy scenarios from the view scenario option.

  6. Click Next.

    Info

    Next steps may vary as per the security senario scenario that you have chosen under point (5) above. Below , is for UsernameToken scenario.

  7. Select ALL-USER-STORE-DOMAINS from the drop-down.

  8. In the resulting page, select the role you created , to grant permission to access secured service. In this example, the admin role is used. Next, click Finish.

    Note

    The Select Domain drop-down lists many domains. The listed User Groups can vary depending on the domain selected.


  9. Click Ok on the confirmation dialog window that appears.
  10. Click Update to complete the process.

...

Do the following steps if you are using a Holder of Key subject confirmation method. See Configuring STS for Obtaining Tokens with Holder-Of-Key Subject Confirmation for more information.

Info

The Subject confirmation methods define how a relying party (RP), which is the end service can make sure a particular security token issued by an STS is brought by the legitimate subject. If this is not done, a third party can take the token from the wire and send any request it wants including that token. The RP trusts that illegitimate party.

  1. See Configuring a Service Provider for details on adding a service provider. 
  2. Expand the Inbound Authentication Configuration section and the WS-Trust Security Token Service Configuration section. Click Configure.

  3. In the resulting screen, enter the trusted relying party's endpoint address that is theendpoint address of the Security Token Service. For more information, see Broker Trust Relationship with WSO2 ISIdentity Server and upload the public certificate of the trusted relying party. 

    Info

    You need to add the certificate of the relying party to the truststore. For more information on how to create the certificate and add it to the truststore, see here.

    The endpoint must be used as the service URL to which the token gets delivered by the STS client. 
    Then  Then select the public certificate imported. Tokens issued are encrypted using the public certificate of the trusted relying party.  ThereforeTherefore, the consumer who obtains this token, to invoke the RP service, won't be able to see the token. 

  4. Click Update to save the changes made to the service provider.

    Panel
    titleRelated Topics

    Run the STS client after configuring the service provider. See Running an STS Client to try out a sample STS client.

...