/
Configuring WS-Trust Security Token Service

This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Configuring WS-Trust Security Token Service

Mar 26, 2019

WSO2 Identity Server uses the security token service (STS) as the WS-Trust implementation. The STS is capable of issuing SAML 1.1 and 2.0 security tokens and has a SOAP/XML API for token issuance. This API can be secured with the UserNameToken or with any other WS-Security mechanism as explained below. 

Securing the Security Token Service

According to the Trust Brokering model defined in the WS-Trust specification, the users should authenticate themselves to the STS before obtaining a token. STS may use this authentication information when constructing the security token. For example, STS may populate the required claims based on the user name provided by the subject. Therefore, the STS service needs to be secured.

STS is configured under the Resident Identity Provider section of the WSO2 Identity Server Management Console

To secure the Security Token Service:  

  1. On the Main tab, click Identity > Identity Providers > Resident


    The Resident Identity Provider page appears.

  2. Enter the required values as given below.

  3. Under the Inbound Authentication Configuration section, click Security Token Service Configuration > Apply Security Policy.

  4. Select Yes in the Enable Security? drop down and  select a pre-configured security scenario according to your requirements. For this tutorial, use  UsernameToken  under   the  Basic Scenarios  section. 

  5. Click Next. The user domain and user group selection appears.

  6. Provide the required details as follows:

    1. Select ALL-USER-STORE-DOMAINS.

    2. Select the role you created to grant permission to access secured service. In this example, the admin role is used. Next, click Finish.

  7. Click Finish.

  8. Click Ok on the confirmation dialog window that appears.

  9. Click Update to complete the process.

Now STS is configured and secured with a username and password. Only users with the Admin role can consume the service.

The next step is to add a service provider to consume the STS.

Adding a service provider for the STS client

Do the following steps if you are using a Holder of Key subject confirmation method. For more information, see Configuring STS for Obtaining Tokens with Holder-Of-Key Subject Confirmation.

The Subject confirmation methods define how a relying party (RP), which is the end service can make sure a particular security token issued by an STS is brought by the legitimate subject. If this is not done, a third party can take the token from the wire and send any request it wants including that token. The RP trusts that illegitimate party.

  1. Under the Inbound Authenticatino Configuration section, click WS-Trust Security Token Service Configuration > Configure. The STS Configuration page appears.

  2. Enter the required details as given below. 

  3. Click Update to save the changes made to the service provider.