Oracle OpenSSO Security Token Service (OpenSSO STS) establishes a trust relationship between a web service client and a web service provider, and then brokers the trust between them. The web service can trust tokens issued by just one entity instead of having to communicate with several clients. In this way, OpenSSO STS significantly reduces trustpoint management overhead.
The following sections provide instructions for determining your security token needs, and for configuring the Security Token Service to generate and validate security tokens to meet those needs.
When you add a new web service provider security agent profile, the web service provider is automatically registered to OpenSSO STS. See To Create a New Agent Profile in Sun OpenSSO Enterprise 8.0 Administration Guide.
Once you've registered a web service provider to OpenSSO STS, you can configure OpenSSO STS to generate web client security tokens acceptable by the web service provider.
First determine what kind of security token the web service provider requires. OpenSSO STS supports Liberty Alliance Project Security Tokens and Web Services-Interoperability Basic Security Profile Security Tokens.
Use the Security Token Generation Matrix to help you configure OpenSSO STS to generate a web service client security token required by the web service provider. First, in the last column titled OpenSSO STS Output Token, find a description that meets the web service provider token requirements. Then use the parameter values in the same row when you configure the Security Token Service. The "Token Generation Matrix Legend" provides information about the table headings and available options. See Section 5.2.3, "To Configure the Security Token Service" for detailed configuration instructions. For general information about Web Service Security and related terminology, see:
http://www.oracle.com/technology/tech/standards/pdf/security.pdf
http://download.oracle.com/docs/cd/E15523_01/web.1111/b32511/ intro_security.htm#CDDHHGEE
The Security Token Generation Matrix summarizes frequently-used Security Token Service parameter settings and the types of security tokens OpenSSO STS generates based on these settings.
Table 4–1 Security Token Generation Matrix
Row |
Message-Level Security Binding |
Web Service Client Token |
KeyType |
OnBehalfOf Token |
Use Key |
OpenSSO STS Output Token |
1 |
Asymmetric |
X509 |
Bearer |
Yes |
No |
SAML Bearer, no proof key |
2 |
Asymmetric |
Username |
Bearer |
Yes |
No |
SAML Bearer, no proof key |
3 |
Asymmetric |
X509 |
Bearer |
No |
No |
SAML Bearer, no proof key |
4 |
Asymmetric |
Username |
Bearer |
No |
No |
SAML Bearer, no proof key |
5 |
Asymmetric |
X509 |
Symmetric |
Yes |
No |
SAML Holder-of-Key, Symmetric proof key |
6 |
Asymmetric |
Username |
Symmetric |
Yes |
No |
SAML Holder-of-Key, Symmetric proof key |
7 |
Asymmetric |
X509 |
Symmetric |
No |
No |
SAML Holder-of-Key, Symme |
8 |
Asymmetric |
Username |
Symmetric |
No |
No |
SAML Holder-of-Key, Symmetric proof key |
9 |
Asymmetric |
X509 |
Asymmetric |
No |
Web Service Client public key |
SAML Holder-of-Key, Asymmetric proof key |
10 |
Asymmetric |
X509 |
Oracle-proprietary for SAML sender-vouches |
Yes |
No |
SAML sender-vouches, no proof key |
11 |
Asymmetric |
Username |
Oracle-proprietary for SAML sender-vouches |
Yes |
No |
SAML sender-vouches, no proof key |
12 |
Transport |
Username |
Bearer |
Yes |
No |
SAML Bearer, no proof key |
13 |
Transport |
Username |
Bearer |
No |
No |
SAML Bearer, no proof key |
14 |
Transport |
Username |
Symmetric |
Yes |
No |
SAML Holder-of-Key, Symmetric |
15 |
Transport |
Username |
Symmetric |
No |
No |
SAML Holder-of-Key, Symmetric proof key |
16 |
Transport |
Username |
Oracle-proprietary for SAML sender-vouches |
Yes |
No |
SAML sender-vouches, no proof key |
17 |
Asymmetric |
X509 |
Asymmetric |
No |
No |
SAML Holder-of-Key, Asymmetric proof key |
18 |
Asymmetric |
X509 |
No |
No |
No |
SAML Holder-of-Key, Asymmetric proof key |
19 |
Asymmetric |
Username |
No |
No |
No |
SAML Holder-of-Key, Symmetric proof key |
20 |
Transport |
Username |
No |
No |
No |
SAML Holder-of-Key, Symmetric proof key |