• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 298
  • Last Modified:

WS-Trust 1.3 STS

OK, STS is a web services that handles tokens.

Why do I need this web service between me and SAML or me and OAUTH.  What advantages does the STS web service provide ?

Anthony Lucia
Anthony Lucia
1 Solution
btanExec ConsultantCommented:
3 main player again .. STS really is like "bouncer" employee of manager (e.g. Web services security policy mandated by WS-Trust standard) whom make sure all clients are issued with legit and access passport. This is what the shops will recognise before granting the client additional discount or the requested treatment or entertainment (may even be jointly 'agreed' further  with the service provider)

-The client accesses the Web service. The client provides the credentials for authentication during the request to the Web service.
-The Web service is the service that requires authentication of a client prior to authorizing the client.
-The STS is the Web service that authenticates clients by validating credentials that are presented by a client. The STS can issue to a client a security token for a successfully authenticated client.
-The security token can be form of SAML tokens (standards-based XML tokens), which are important for Web service security because they provide cross-platform interoperability and a means of exchanging security information between clients and services that do not reside within a single security domain.

... kind of CA trust relationship which both party need to trust a "neutral party and in this case STS which attest identity (or passport) of client....not only authentication per se... some sort of access rule and policy scoping can be consistently applies depending on the client identity and its requested scope of service use  ...

E.g. A client may also specify the scope of the request for a security token to the STS. Scope is a value that identifies the target of the client; it can be as granular as a single operation of the Web service or as broad as an application domain. The token issued by the STS can contain usage constraints that correspond to the scope of the request. Scope can be used to provide resource level authorization, with the STS comparing the value in the scope to a list of clients that are authorized to access the target.

Overall, just treat it in sense of - as long as the service consumer is in the possession of a security token issued by a trusted STS, the service provider accepts the token sent by the service consumer. This is the same pattern as for certificates and certificate authorities.

A key benefit of the STS is the reduced complexity for web service consumer.
A web service consumer doesn't have to know how to create the various types of security tokens its service providers require. Instead, it sends a request to the STS containing the requirements of the client and the service provider and attaches the returned security token to the outgoing SOAP message to the service provider. One service provider could require a SAML 1.1 token, another a SAML 2.0 token and another a custom binary security token. The service consumer doesn't have to understand SAML 1.1, SAML 2.0 or the custom binary security token. All he has to do is grab the returned token from the STS and attach it to the message. Thus, you can reduce the complexity in your application and move it to a centralized component.


Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now