Generating Security Tokens

Oracle OpenSSO Security Token Service (OpenSSO STS) establishes a trust relationship between a web service client and a web service provider, and then brokers the trust between them. The web service can trust tokens issued by just one entity instead of having to communicate with several clients. In this way, OpenSSO STS significantly reduces trustpoint management overhead.

The following sections provide instructions for determining your security token needs, and for configuring the Security Token Service to generate and validate security tokens to meet those needs.

Registering a Web Service Provider to OpenSSO STS

When you add a new web service provider security agent profile, the web service provider is automatically registered to OpenSSO STS. See To Create a New Agent Profile in Sun OpenSSO Enterprise 8.0 Administration Guide.

Once you've registered a web service provider to OpenSSO STS, you can configure OpenSSO STS to generate web client security tokens acceptable by the web service provider.

Requesting a Web Service Client Security Token from OpenSSO STS

First determine what kind of security token the web service provider requires. OpenSSO STS supports Liberty Alliance Project Security Tokens and Web Services-Interoperability Basic Security Profile Security Tokens.

Using the Security Token Generation Matrix

Use the Security Token Generation Matrix to help you configure OpenSSO STS to generate a web service client security token required by the web service provider. First, in the last column titled OpenSSO STS Output Token, find a description that meets the web service provider token requirements. Then use the parameter values in the same row when you configure the Security Token Service. The "Token Generation Matrix Legend" provides information about the table headings and available options. See Section 5.2.3, "To Configure the Security Token Service" for detailed configuration instructions. For general information about Web Service Security and related terminology, see:

• http://www.oracle.com/technology/tech/standards/pdf/security.pdf

• http://download.oracle.com/docs/cd/E15523_01/web.1111/b32511/ intro_security.htm#CDDHHGEE

The Security Token Generation Matrix summarizes frequently-used Security Token Service parameter settings and the types of security tokens OpenSSO STS generates based on these settings.

Table 4–1 Security Token Generation Matrix

Row	Message-Level Security Binding	Web Service Client Token	KeyType	OnBehalfOf Token	Use Key	OpenSSO STS Output Token
1	Asymmetric	X509	Bearer	Yes	No	SAML Bearer, no proof key
2	Asymmetric	Username	Bearer	Yes	No	SAML Bearer, no proof key
3	Asymmetric	X509	Bearer	No	No	SAML Bearer, no proof key
4	Asymmetric	Username	Bearer	No	No	SAML Bearer, no proof key
5	Asymmetric	X509	Symmetric	Yes	No	SAML Holder-of-Key, Symmetric proof key
6	Asymmetric	Username	Symmetric	Yes	No	SAML Holder-of-Key, Symmetric proof key
7	Asymmetric	X509	Symmetric	No	No	SAML Holder-of-Key, Symme
8	Asymmetric	Username	Symmetric	No	No	SAML Holder-of-Key, Symmetric proof key
9	Asymmetric	X509	Asymmetric	No	Web Service Client public key	SAML Holder-of-Key, Asymmetric proof key
10	Asymmetric	X509	Oracle-proprietary for SAML sender-vouches	Yes	No	SAML sender-vouches, no proof key
11	Asymmetric	Username	Oracle-proprietary for SAML sender-vouches	Yes	No	SAML sender-vouches, no proof key
12	Transport	Username	Bearer	Yes	No	SAML Bearer, no proof key
13	Transport	Username	Bearer	No	No	SAML Bearer, no proof key
14	Transport	Username	Symmetric	Yes	No	SAML Holder-of-Key, Symmetric
15	Transport	Username	Symmetric	No	No	SAML Holder-of-Key, Symmetric proof key
16	Transport	Username	Oracle-proprietary for SAML sender-vouches	Yes	No	SAML sender-vouches, no proof key
17	Asymmetric	X509	Asymmetric	No	No	SAML Holder-of-Key, Asymmetric proof key
18	Asymmetric	X509	No	No	No	SAML Holder-of-Key, Asymmetric proof key
19	Asymmetric	Username	No	No	No	SAML Holder-of-Key, Symmetric proof key
20	Transport	Username	No	No	No	SAML Holder-of-Key, Symmetric proof key