41.5 About the Architecture of the Security Token Service

Security Token Service is a centralized token service that supports WS-Trust protocol. It also defines extensions to the WS-Security specification for issuing and exchanging security tokens and establishing trust relationships. The Security Token Service is hosted as a web service endpoint and coordinates security based interactions between a WSC and a WSP.

Figure 41-1 shows all communication with the Security Token Service occurs through a WS_Trust client.

Figure 41-1 Security Token Service Architecture

Description of "Figure 41-1 Security Token Service Architecture"

When a WSC makes a call to the WSP, it gets the WS-Security policy that indicates that a security token issued by Security Token Service should be presented. The policy includes the location of the Security Token Service. The WSC uses that location to contact the Security Token Service to retrieve the token expected by the WSP. (Alternately, the WSP could register its acceptable security mechanisms with the Security Token Service and, before validating the incoming SOAP request, check with the Security Token Service to determine its security mechanisms).

When an authenticated WSC (carrying credentials that confirm either the identity of the end user or the application) requests a token for access to a WSP, the Security Token Service verifies the credentials and, in response, issues a security token that provides proof that the WSC has been authenticated. The WSC presents the security token to the WSP which verifies that the token was issued by a trusted Security Token Service.