This documentation is for WSO2 Identity Server 5.4.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The following communication paths are illustrated in the above figure using arrows.

    • The requester
  • may grant
    • provides credentials to STS and grant a security token by sending a RST to the STS or from a third party application.
    • STS validates the client credentials and reply with security token (SAML) to the requester.      
    • The token is then submitted to the relying party(web service) by the requester in order to access its services.
    • The Web service either trusts the issuing security token service or may request a token service to validate the token (or the Web service may validate the token itself).
    • Then STS send the decision to the web service. 
    • If the token is valid then web service allow accessing the protected resource(s).

Requesting tokens

Configuring the Identity Server to request tokens


You can run the STS client without setting the relying party in IS in order to grant a security token. It is not necessary to have a relying party to grant the security token from the STS.

titleBefore you begin!

Download the


samples directory.

  1. Navigate to <IS_SAMPLES>/modules/samples/sts/sts-client directory. 
    The client code is written to send RSTs to a given endpoint defined in the the <IS_SAMPLES>/modules/samples/sts/sts-client/src/main/resources/ file file.
  2. The following is the service URL of the STS if you have started the IS on default port: https://localhost:9443/services/wso2carbon-sts
  3. Without changing other any of the properties you can safely run the client via the shell script located at that is inside the <IS_SAMPLES>/modules/samples/sts/sts-client folder via the following command directory.

    Code Block

    It prints the received SAML assertion on the terminal. You can also can view the RST and RSTR on the the SOAP tracer of  of the Management Console in the Identity Server.


The SAML 2.0 tokens that are received by the Identity Server can eventually expire according to the following attribute specification. This section defines how to renew the received bearer type SAML 2.0 token using the WSO2 Identity Server’s resident token service.

Code Block

This section defines how to renew the received bearer type SAML 2.0 token using the WSO2 Identity Server’s resident token service.

After the security token service is configured(refer Configuring the Identity Server to request tokens) you can follow the below steps to run the STS client as  as the token renewer.

Running the client