WS-Trust 1.3 STS

Posted on 2014-08-07
Last Modified: 2014-08-08
OK, STS is a web services that handles tokens.

Why do I need this web service between me and SAML or me and OAUTH.  What advantages does the STS web service provide ?

Question by:Anthony Lucia
    1 Comment
    LVL 60

    Accepted Solution

    3 main player again .. STS really is like "bouncer" employee of manager (e.g. Web services security policy mandated by WS-Trust standard) whom make sure all clients are issued with legit and access passport. This is what the shops will recognise before granting the client additional discount or the requested treatment or entertainment (may even be jointly 'agreed' further  with the service provider)

    -The client accesses the Web service. The client provides the credentials for authentication during the request to the Web service.
    -The Web service is the service that requires authentication of a client prior to authorizing the client.
    -The STS is the Web service that authenticates clients by validating credentials that are presented by a client. The STS can issue to a client a security token for a successfully authenticated client.
    -The security token can be form of SAML tokens (standards-based XML tokens), which are important for Web service security because they provide cross-platform interoperability and a means of exchanging security information between clients and services that do not reside within a single security domain.

    ... kind of CA trust relationship which both party need to trust a "neutral party and in this case STS which attest identity (or passport) of client....not only authentication per se... some sort of access rule and policy scoping can be consistently applies depending on the client identity and its requested scope of service use  ...

    E.g. A client may also specify the scope of the request for a security token to the STS. Scope is a value that identifies the target of the client; it can be as granular as a single operation of the Web service or as broad as an application domain. The token issued by the STS can contain usage constraints that correspond to the scope of the request. Scope can be used to provide resource level authorization, with the STS comparing the value in the scope to a list of clients that are authorized to access the target.

    Overall, just treat it in sense of - as long as the service consumer is in the possession of a security token issued by a trusted STS, the service provider accepts the token sent by the service consumer. This is the same pattern as for certificates and certificate authorities.

    A key benefit of the STS is the reduced complexity for web service consumer.
    A web service consumer doesn't have to know how to create the various types of security tokens its service providers require. Instead, it sends a request to the STS containing the requirements of the client and the service provider and attaches the returned security token to the outgoing SOAP message to the service provider. One service provider could require a SAML 1.1 token, another a SAML 2.0 token and another a custom binary security token. The service consumer doesn't have to understand SAML 1.1, SAML 2.0 or the custom binary security token. All he has to do is grab the returned token from the STS and attach it to the message. Thus, you can reduce the complexity in your application and move it to a centralized component.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Viewers learn about the “for” loop and how it works in Java. By comparing it to the while loop learned before, viewers can make the transition easily. You will learn about the formatting of the for loop as we write a program that prints even numbers…
    This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now