Figure 41-1 shows all communication with the Security Token Service occurs through a WS_Trust client.
Figure 41-1 Security Token Service Architecture
When a WSC makes a call to the WSP, it gets the WS-Security policy that indicates that a security token issued by Security Token Service should be presented. The policy includes the location of the Security Token Service. The WSC uses that location to contact the Security Token Service to retrieve the token expected by the WSP. (Alternately, the WSP could register its acceptable security mechanisms with the Security Token Service and, before validating the incoming SOAP request, check with the Security Token Service to determine its security mechanisms).
When an authenticated WSC (carrying credentials that confirm either the identity of the end user or the application) requests a token for access to a WSP, the Security Token Service verifies the credentials and, in response, issues a security token that provides proof that the WSC has been authenticated. The WSC presents the security token to the WSP which verifies that the token was issued by a trusted Security Token Service.