This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Securing the Security Token Service

In most instances it is necessary to secure the Security Token Service. According the Trust Brokering model defined in the WS-Trust specification, the users should authenticate themselves to the STS before obtaining a token. STS may use this authentication information when constructing the security token. For example, STS may populate the required claims based on the user name provided by the subject. You can apply a security policy for STS by clicking on the "Apply Security Policy" link.

Follow the instructions below to secure the Security Token Service.

  1. Start the WSO2 Identity Server.
  2. Log in as an admin to access the management console.
  3. Click List under Identity Providers in the Main menu and click Resident Identity Provider.
  4. In the resulting page, expand the Inbound Authentication Configuration section and the WS-Trust / WS-Federation (Passive) Configuration section.
  5. Click Apply Security Policy to configure security and go through the wizard.
  6. Select Yes from the Enable Security? dropdown and select a preconfigured security scenario according to your requirements.
  7. Click Next.
  8. Specify the Trusted Key Stores and Private key Store.
  9. Click Finish.
  10. Click OK in the WSO2 dialog window for confirmation of your action.