This documentation is for WSO2 Identity Server 5.0.0. View documentation for the latest release.
Page Comparison - Implementing WS-Trust (v.1 vs v.2) - Identity Server 5.0.0 - WSO2 Documentation

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


STS is configured under the Resident Identity Provider section of the Identity Server management console. Use the following step to do the configurations.

  1. Configure the Resident Identity Provider. See here for more detailed information on how to do this.
  2. In the Resident Identity Provider page, expand the Inbound Authentication Configuration section along with the WS-Trust/WS-Federation(Passive) Configuration section.
  3. Click Apply Security Policy.
  4. Select Yes in the Enable Security? dropdown and select UsernameToken under the Basic Scenarios section.
  5. Click Next.
  6. In the resulting page, select the admin checkbox and click Finish.
  7. Click Ok on the confirmation dialog window that appears and click Update to complete the process.

Now STS is configured and secured with a username and password. Only users with the Admin role can consume the service.

The next step is to add a service provider to consume the STS.

Adding a service provider for the STS client

  1. See here for details on adding a service provider. 
  2. Expand the Inbound Authentication Configuration section and the WS-Trust Security Token Service Configuration section. Click Configure.
    Image Added
  3. In the resulting screen, enter the Endpoint Address. This must be used as the service URL and the token is delivered by the STS client.
    Image Added
  4. Click Update to save the changes made to the service provider.

Now the service provider is configured successfully. Next you need to run the STS client.

Running the STS client

  1. The code for the client can be checked out from here.

    Code Block
    svn co
  2. Build the client using mvn install.

  3. Once the client is built successfully, run the file in Unix or sts-client.bat in Windows. You can see that the SAML token issued from the STS is being printed by the client.


    The "connection refuse" error occurs in a situation where the STS client attempts to send the received SAML token to a service that is not running in this case.

Request and response messages to and from the STS


Image Added


Image Added