The Security Token Service controls who can access a Web Service Provider (WSP) by defining Application Domains that provide access to resources based on configured policies.
Application Domains identify Web Services and the authorization rules that determine who can request a security token.
The following functionality is established by Trust Issuance Policies. A Trust Issuance Policy can be managed by clicking the Application Domains link from the Oracle Access Management Console Launch Pad.
Resource of type TokenServiceRP representing Relying Parties or Web Service Providers.
Token Issuance Policy defining a policy for a set of resources of type TokenServiceRP.
Condition defining the identities of the clients that are allowed or denied issuance of tokens for the resources listed in the policy. The clients can either be Requester Partners or User from the Default Identity Store.
Security Token Service supports the creation of Relying Party Partner, representing a remote Web Service Provider that will be the consumer of a security token issued by Security Token Service.
For each Relying Party Partner, it is possible to define URLs that will be mapped to the partner, so that WS-Addressing endpoint specified in a WS-Trust Request can be mapped to an Security Token Service Relying Party Partner.
At runtime, when a client requests a token to be issued, Security Token Service will evaluate the Trust Issuance Policies to determine whether or not the token can be issued:
The client will be identified either as a Requester Partner or as an end user
If an AppliesTo element was present in the WS-Trust Request and was mapped to a Relying Party Partner, then the TokenServiceRP resource for the Trust Issuance Policy evaluation will be the Partner ID of that Security Token Service Relying Partner.
If an AppliesTo element was present in the WS-Trust Request and could not be mapped to a Relying Party Partner, then the TokenServiceRP resource for the Trust Issuance Policy evaluation will be the UnknownRP defined in the Access Manager Application Domain.
If an AppliesTo element was missing in the WS-Trust Request, then the TokenServiceRP resource for the Trust Issuance Policy evaluation will be the MissingRP defined in the Access Manager Application Domain.
Security Token Service requires the following items (at a minimum) to process a request and issue a token based on an incoming request (RST):
One Issuance Template
One Validation Template
One Requester Partner Profile that contains the token
One Relying Party Partner Profile
Partners might need to be provisioned.
An LDAP server is required for the Security Token Service to map the Username token that references the user to an LDAP User record, and then use that record to populate the outgoing token. Partners might need to be provisioned before they are available.