Figure 2–10 shows how the Web Services Trust technology establishes trust.
To establish trust between a client, a Security Token Service, and a web service:
The client establishes an HTTPS connection with the Secure Token Service using one of the following methods:
Username Authentication and Transport Security: The client authenticates to the Security Token Service using a username token. The Security Token Service uses a certificate to authenticate to the Client. Transport security is used for message protection.
Mutual Authentication: Both the client-side and server-side use X509 certificates to authenticate to each other. The client request is signed using Client’s X509 certificate, then signed using ephemeral key. The web service signs the response using keys derived from the client’s key.
The client sends a RequestSecurityToken message to the Security Token Service.
The Security Token Service sends a Security Assertion Markup Language (SAML) token to the Client.
The client uses the SAML token to authenticate itself to the web service and trust is established.
All communication uses SOAP messages.