This requires registration of relying party endpoint addresses and their corresponding public certificates. In this scenario, STS generates a symmetric key and encrypts it with the public key of the relying party. This is included in the subject confirmation section of the SAML token, which is validated at the relying party end.
Follow the instructions below to configure STS for obtaining tokens with Holder-Of-Key subject confirmation (Symmetric Key).
- Start the WSO2 Identity Server.
- Log in as an admin to access the management console.
- Do the following steps if you are using a Holder of Key confirmation method.
- Navigate to the Service Providers section by clicking Add in the Main menu under Service Providers.
- Add a Service Provider Name and Description and click Register.
- In the resulting page, expand the Inbound Authentication Configuration and the WS-Trust Security Token Service Configuration sections. Click Configure.
Enter the trusted relying party and upload the public certificate of the trusted relying party (against its end-point).
The relying party will accept security tokens from the Identity Server.
The tokens issued are encrypted using the public key of the trusted relying party. Accordingly, even the client who obtains the token to send to the RP has no visibility to the included token.
- Click Apply.
- A new trusted service is added to the service provider.
You can delete any trusted service by clicking on the associated Delete link.