This topic expands on how to access the Security Token Service (STS) in the WSO2 Identity Server programmatically by using the instructions below.
Understanding different confirmation methods
Subject confirmation methods are how a relying party (or the end service) can make sure that a particular security token issued by a Security Token Service (STS), is brought by the legitimate subject. If this is not done, a third party can take the token from the wire and send any request it wants including that token. As a result, the relying party may trust that illegitimate third party.
The following are the three methods of confirmation.
- Bearer: This is actually not a confirmation method as subject confirmation is not really needed. The relying party simply trusts whoever brings the token.
- Holder of Key (HoK):
- STS includes the public key of the client inside the security token and signs it.
- Before sending the token, the client itself signs the request.
- When the relying party receives the token, it first validates the STS signature and then validates the client's signature with the public key embedded inside the token.
- Sender Vouches:
- Rather than authenticating with the STS, the client authenticates with an intermediate service.
- The intermediary gets the security token from the STS and signs the request before sending it to the relying party.
- The relying party trusts both the intermediary and the STS. So, it validates both of them.
Configuring STS to issue security tokens
- Log in as an admin to access the management console.
- Do the following steps if you are using a Holder of Key confirmation method. See here for more information.
- Navigate to the Service Providers section by clicking Add in the Main menu under Service Providers.
- Add a Service Provider Name and Description and click Register.
- In the resulting page, expand the Inbound Authentication Configuration and the WS-Trust Security Token Service Configuration sections. Click Configure.
Enter the trusted relying parties and upload the public certificate of the trusted relying party (against its end-point).
These relying parties will accept security tokens from the Identity Server.
The tokens issued are encrypted using the public key of the trusted relying party. Accordingly, even the client who obtains the token to send to the RP has no visibility to the included token.
- Click Apply.
Now, apply the security to the STS. To do this, do the following.
This is to be done for both the Holder of Key confirmation method and the Bearer confirmation method. You must provide
UsernameToken-based security, which means that the client should have a valid user account with the Identity Server to obtain a token from the STS.
- In the management console, click List under Identity Providers in the Main menu.
- Click Resident Identity Provider.
- In the resulting page, expand the Inbound Authentication Configuration section and the WS-Trust / WS-Federation (Passive) Configuration section.
- Click Apply Security Policy to configure security and go through the wizard.
- Configure security and go through the wizard by using the following steps.
- Select Yes from the Enable Security? dropdown.
- Select UsernameToken from the Basic Scenarios list.
- Click Next.
- Choose Internal/everyone from the User Groups list.
- Click Finish.
This is all you need to do to configure Identity Server STS to issue security tokens.