Access Management

Differences between REST STS and SOAP STS

Because the SOAP STS implementation is based on the WS-Trust specification and the REST STS implementation is not, there are differences between the features they support. They are summarized in the table below:

Differences between the STS implementations
Feature Description REST STS SOAP STS

REST endpoints

REST endpoints exposed upon instance creation.

SOAP endpoints

AM .war and the SOAP STS .war files must be deployed in separate web containers to expose the SOAP endpoints.

Token transformations

AM STS issues OpenID Connect V1.0 (OIDC) and SAML V2.0 tokens (bearer, holder-of-key, sender vouches).

Username token → OIDC
OIDC → OIDC
X.509 token → OIDC
AM Session token → OIDC

Username token → SAML v2.0
X.509 token → SAML v2.0
(REST STS only) OIDC token → SAML v2.0
AM Session token → SAML v2.0

Publish service

You can configure REST or SOAP STS instances using the AM admin UI or programmatically. AM provides a REST STS publish service that allows you to publish these instances using a POST to the endpoints. Note that a published instance can have only a single encryption key. Therefore, you need one published instance per service provider that the web service invoking the STS intends to call.

Custom SAML assertion plugins

AM supports customizable SAML assertion statements. You can create custom plug-ins for Conditions, Subject, AuthenticationStatements, AttributeStatements, and AuthorizationDecisionStatements statements.

Custom token validators and providers

The AM REST STS provides the ability to customize tokens that are not supported by default by the STS. For example, you can configure STS to transform a token of type CUSTOM to a SAML V2.0 token.

Client SDK

AM provides a SOAP STS client SDK module to allow developers to use Apache CXF-STS classes.

ActAs and OnBehalfOf elements

AM SOAP STS supports delegated and proxied token relationships, as defined by the ActAs and OnBehalfOf elements in WS-Trust, which is available for Username and AM session tokens.

Security binding assertions

AM SOAP STS supports the WS-SecurityPolicy binding assertions that protect communication to and from the STS: transport, asymmetric, symmetric.

Custom WSDL

The AM SOAP STS comes with a pre-configured WSDL file. You can customize the policy bindings governing the input or output messages to or from the STS.

Logging service

The AM STS allows SOAP-STS log entries to be configured via java.util.logging, which allows logging to be configured via the logging.properties file in the Tomcat conf directory.

For more information about both implementations, see: