WS-Trust 1.3 STS

OK, STS is a web services that handles tokens.

Why do I need this web service between me and SAML or me and OAUTH.  What advantages does the STS web service provide ?

Anthony LuciaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
3 main player again .. STS really is like "bouncer" employee of manager (e.g. Web services security policy mandated by WS-Trust standard) whom make sure all clients are issued with legit and access passport. This is what the shops will recognise before granting the client additional discount or the requested treatment or entertainment (may even be jointly 'agreed' further  with the service provider)

-The client accesses the Web service. The client provides the credentials for authentication during the request to the Web service.
-The Web service is the service that requires authentication of a client prior to authorizing the client.
-The STS is the Web service that authenticates clients by validating credentials that are presented by a client. The STS can issue to a client a security token for a successfully authenticated client.
-The security token can be form of SAML tokens (standards-based XML tokens), which are important for Web service security because they provide cross-platform interoperability and a means of exchanging security information between clients and services that do not reside within a single security domain.

... kind of CA trust relationship which both party need to trust a "neutral party and in this case STS which attest identity (or passport) of client....not only authentication per se... some sort of access rule and policy scoping can be consistently applies depending on the client identity and its requested scope of service use  ...

E.g. A client may also specify the scope of the request for a security token to the STS. Scope is a value that identifies the target of the client; it can be as granular as a single operation of the Web service or as broad as an application domain. The token issued by the STS can contain usage constraints that correspond to the scope of the request. Scope can be used to provide resource level authorization, with the STS comparing the value in the scope to a list of clients that are authorized to access the target.

Overall, just treat it in sense of - as long as the service consumer is in the possession of a security token issued by a trusted STS, the service provider accepts the token sent by the service consumer. This is the same pattern as for certificates and certificate authorities.

A key benefit of the STS is the reduced complexity for web service consumer.
A web service consumer doesn't have to know how to create the various types of security tokens its service providers require. Instead, it sends a request to the STS containing the requirements of the client and the service provider and attaches the returned security token to the outgoing SOAP message to the service provider. One service provider could require a SAML 1.1 token, another a SAML 2.0 token and another a custom binary security token. The service consumer doesn't have to understand SAML 1.1, SAML 2.0 or the custom binary security token. All he has to do is grab the returned token from the STS and attach it to the message. Thus, you can reduce the complexity in your application and move it to a centralized component.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.