WSO2 Identity Server's security token service (STS) is used as the WS-Trust implementation. The STS is capable of issuing SAML 1.1 and 2.0 security tokens and has a SOAP/XML API for token issuance. This API can be secured with the UserNameToken
or with any other WS-Security mechanism.
Configuring STS
STS is configured under the Resident Identity Provider section of the Identity Server Management Console. Use the following steps to do the configurations.
- Configure the Resident Identity Provider. See here for more detailed information on howto do this.
- In the Resident Identity Provider page, expand the Inbound Authentication Configuration section along with the Security Token Service Configuration section.
- Click Apply Security Policy.
Select Yes in the Enable Security? dropdown and select UsernameToken under the Basic Scenarios section.
You can find further details about the security policy scenarios from the view scenario option.
Click Next.
- Select ALL-USER-STORE-DOMAINS from the drop-down.
In the resulting page, select the role you created, to grant permission to access secured service. In this example, admin role is used. Next, click Finish.
The Select Domain drop-down lists many domains. The listed User Groups can vary depending on the domain selected.
- Click Ok on the confirmation dialog window that appears.
- Click Update to complete the process.
Now STS is configured and secured with a username and password. The users with the Admin role only can consume the service.
The next step is to add a service provider to consume the STS.
Adding a service provider for the STS client
Do the following steps if you are using a Holder of Key subject confirmation method. See Configuring STS for Obtaining Tokens with Holder-Of-Key Subject Confirmation for more information.
The Subject confirmation methods define how a relying party (RP), which is the end service, can make sure a particular security token issued by an STS is brought by the legitimate subject. If this is not done, a third party can take the token from the wire and send any request it wants including that token. The RP trusts that illegitimate party.
- See Configuring a Service Provider for details on adding a service provider.
- Expand the Inbound Authentication Configuration section and the WS-Trust Security Token Service Configuration section. Click Configure.
- In the resulting screen, enter the trusted relying party's endpoint address that is the endpoint address of the Security Token Service. For more information see Broker Trust Relationship with WSO2 IS and upload the public certificate of the trusted relying party. The endpoint must be used as the service
URL
to which the token gets delivered by the STS client.
Usually, the security token is signed by the STS. Thus, we need to select a certificate alias to sign the token. Select the defaultwso2carbon
certificate alias. The tokens issued are encrypted using the public key of the trusted relying party. Even the client who obtains the token to send to the RP has no visibility to the included token. Click Update to save the changes made to the service provider.
Related TopicsRun the STS client after configuring the service provider. See Running an STS Client to try out a sample STS client.