--- title: Differences between REST STS and SOAP STS description: Because the SOAP STS implementation is based on the WS-Trust specification and the REST STS implementation is not, there are differences between the features they support. They are summarized in the table below: component: pingam version: 7.5 page_id: pingam:sts:sts-differences-summary canonical_url: https://docs.pingidentity.com/pingam/7.5/sts/sts-differences-summary.html keywords: ["Security Token Service (STS)", "Rest", "SOAP"] page_aliases: ["sts-guide:sts-differences-summary.adoc"] --- # Differences between REST STS and SOAP STS Because the SOAP STS implementation is based on the WS-Trust specification and the REST STS implementation is not, there are differences between the features they support. They are summarized in the table below: **Differences between the STS implementations** | Feature | Description | REST STS | SOAP STS | | ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------- | | **REST endpoints** | REST endpoints exposed upon instance creation. | ✔ | ✖ | | **SOAP endpoints** | AM `.war` and the SOAP STS `.war` files must be deployed in separate web containers to expose the SOAP endpoints. | ✖ | ✔ | | **Token transformations** | AM STS issues OpenID Connect V1.0 (OIDC) and SAML 2.0 tokens (bearer, holder-of-key, sender vouches).Username token → OIDC OIDC → OIDC X.509 token → OIDC AM Session token → OIDCUsername token → SAML 2.0 X.509 token → SAML 2.0 (REST STS only) OIDC token → SAML 2.0 AM Session token → SAML 2.0 | ✔ | ✔ | | **Publish service** | You can configure REST or SOAP STS instances using the AM admin UI or programmatically. AM provides a REST STS publish service that allows you to publish these instances using a POST to the endpoints. Note that a published instance can have only a single encryption key. Therefore, you need one published instance per service provider that the web service invoking the STS intends to call. | ✔ | ✔ | | **Custom SAML assertion plugins** | AM supports customizable SAML assertion statements. You can create custom plug-ins for `Conditions`, `Subject`, `AuthenticationStatements`, `AttributeStatements`, and `AuthorizationDecisionStatements` statements. | ✔ | ✔ | | **Custom token validators and providers** | The AM REST STS provides the ability to customize tokens that are not supported by default by the STS. For example, you can configure STS to transform a token of type CUSTOM to a SAML 2.0 token. | ✔ | ✖ | | **Client SDK** | AM provides a SOAP STS client SDK module to allow developers to use Apache CXF-STS classes. | ✖ | ✔ | | **`ActAs` and `OnBehalfOf` elements** | AM SOAP STS supports delegated and proxied token relationships, as defined by the `ActAs` and `OnBehalfOf` elements in [WS-Trust](http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html), which is available for Username and AM session tokens. | ✖ | ✔ | | **Security binding assertions** | AM SOAP STS supports the [WS-SecurityPolicy](http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html) binding assertions that protect communication to and from the STS: transport, asymmetric, symmetric. | ✖ | ✔ | | **Custom WSDL** | The AM SOAP STS comes with a pre-configured WSDL file. You can customize the policy bindings governing the input or output messages to or from the STS. | ✖ | ✔ | | **Logging service** | The AM STS allows SOAP-STS log entries to be configured via `java.util.logging`, which allows logging to be configured via the `logging.properties` file in the Tomcat `conf` directory. | ✖ | ✔ | For more information about both implementations, see: * [REST STS](sts-rest.html) * [SOAP STS](sts-soap.html)