Sun OpenSSO Enterprise 8.0 Developer's Guide

The Security Token Service

When a WSC communicates with a WSP it must first connect with a trusted authority to determine the security mechanism and, optionally, obtain the security token expected by the WSP. This information is registered with the trusted authority by the WSP. The Security Token Service is a trusted authority that provides issuance and management of security tokens; that is, it makes security statements or claims often, although not required to be, in cryptographically protected sets. The OpenSSO Enterprise trust brokering process is as follows.

  1. An authenticated WSC requests a token to access a particular WSP.

  2. The Security Token Service verifies the credentials presented by the WSC.

  3. In response to an affirmative verification, the Security Token Service issues a security token that provides proof that the client has been authenticated.

  4. The WSC presents the security token to the WSP.

  5. The WSP verifies that the token was issued by a trusted Security Token Service, affirming authentication and authorizing access.

The Security Token Service communicates using the WS-Trust protocol and serves WS-I BSP security tokens. (Any WSC or WSP can communicate remotely with OpenSSO Enterprise Security Token Service using the WS-Trust protocol.) The Security Token Service also serves as a Discovery Service, able to communicate using the Liberty ID-WSF protocol and serve Liberty Alliance Project security tokens.

Web Container Support

OpenSSO Enterprise as a Security Token Service is supported on different web containers including:

With this support, any WSC or WSP can communicate remotely with OpenSSO Enterprise Security Token Service using the WS-Trust protocol.

Security Tokens

The Security Token Service issues, renews, cancels, and validates security tokens that can contain an identifier for either the WSC or the actual end user. It also allows you to write a proprietary token providers using the included service provider interfaces (SPI). Finally, it provides application programming interfaces (API), based on the WS-Trust protocol, that allow applications to access the service. By default, the Security Token Service serves tokens based on the Liberty Alliance Project and WS-Trust specifications. The WS-I BSP specifications and the Liberty Alliance Project developed security profiles for web services security. These security mechanism are implemented for web services security using the provider interfaces. The following list contains the supported mechanisms.

Anonymous

Carries no security information.

User Name Token

Carries basic information (username and, optionally, a password or shared secret) for purposes of authenticating the user identity to the WSP. Communication is done in plain text so SSL over HTTPS transport must be used to protect the credentials.

User Name Token-Plain

Carries basic information (username and a clear text password or shared secret) for purposes of authenticating the user identity to the WSP. Communication is done in plain text so SSL over HTTPS transport must be used to protect the credentials.

Kerberos Token

Carries basic information (username and, optionally, a password or shared secret), in a Kerberos token, for purposes of authenticating the user identity to the WSP.

X.509 Token

Contains an X.509 formatted certificate for authentication using credentials created with a public key infrastructure (PKI). In this case, the WSC and WSP must trust each other's public keys or share a common, trusted certificate authority.

SAML-Holder-Of-Key Token

Uses the SAML holder-of-key confirmation method whereby the WSC supplies a SAML assertion with public key information as the means for authenticating the requester to the web service provider. A second signature binds the assertion to the SOAP payload. Can use either SAML v1.x or SAML v2.

SAML-SenderVouches Token

Uses the SAML sender-vouches confirmation method whereby the WSC adds a SAML assertion and a digital signature to a SOAP header. A sender certificate or public key is also provided with the signature. Can use either SAML v1.x or SAML v2.

Token Conversion

The Security Token Service is able to convert from one token format to another. For example, an OpenSSO Enterprise SSOToken can be converted to a SAML v2 token or a SAML v1.x token to a SAML v2 token. Token conversion plug-ins can be developed using the token conversion interface in the com.sun.identity.wss.sts package.

Configuring the Security Token Service

To configure a WSC to communicate with the Security Token Service end point (by default, http://server:port/opensso/sts), download and deploy the Client SDK WAR and see the README and samples. To protect the Security Token Service, login to the console and click the Configuration tab. Following, click the Global tab and the Security Token Service link for security configurations. The Security Token Service WSDL is fam.sts.