Access Management 7.3.2

STS overview

The Security Token Service (STS) lets AM bridge identities across existing federated environments to establish cross-domain trust relationships using token transformations. For example, you can federate two different environments by transforming OpenID Connect ID tokens into SAML v2.0 assertions.

The WS-Trust specification introduces the concept of a centralized runtime component called the Security Token Service (STS), which issues, cancels, and validates security tokens. A WS-Trust model involves communication between the components, a requestor, web service, and STS:

  • The requestor is a web client or programmatic agent that wants to use a service offered by the web service.

  • The web service allows authenticated and authorized clients to access resources or applications.

  • The identity provider stores claims about subjects and works with the STS to issue security tokens.

  • The STS acts as a trusted third-party web service that asserts the identity of a requestor across different security domains through the exchange of security tokens and brokers a trust relationship between the requestor and the web service provider. The STS issues tokens based on its configurations, which model the identity of a given identity provider, and issues tokens to a specific relying party.

  • A security token is an STS data structure representing a set of claims that assert the identity of a subject. A single claim is identity information, such as a subject’s name, age, gender, and email address.

  • A security policy, defined in WS-SecurityPolicy, specifies the required elements, tokens, security bindings, supporting tokens, and protocol assertions, which are requirements for a web service to grant a subject access to its service.

    The security policy is defined in a WSDL document, which is an XML file that states what needs to be protected, what tokens are allowed for access, and transmission requirements for SOAP STS.

Web services and requestors (that is, consumers or clients) are typically deployed across different security domains and topologies. Each domain may require a specific security token type to assert authenticated identities. STS provides a means to exchange tokens across these different domains without re-authenticating or re-establishing trust relationships while allowing the requestor access to a web service’s protected resources.

Based on this standard, AM provides two Security Token Services:

  • REST STS, a REST-based Security Token Service that provides a simpler deployment alternative than SOAP STS for token transformations. The REST STS does not conform to the WS-Trust specification.

  • SOAP STS, a WS-Trust 1.4-compliant Security Token Service.

    The AM SOAP STS is built upon the Apache CXF STS, an open-source implementation of JAX-WS and JAX-RS, as well as Apache WSS4j, an open-source Java implementation of the WS-Security specification.

    The SOAP STS service is deprecated, and will be removed in a future release. Installing instances of this service is not supported.