WS-Trust introduces a special kind of web service, called
Security Token Service (STS). To put it simply, the job of an STS
is ???transforming??? WS-Security tokens. One token enters; another
token exits.
Let??™s assume that a certain client C wants to invoke a certain
web service S. Let??™s also assume that S speci?¬?es in its policies
WS-Trust extends
WS-Security with
methods for issuing,
renewing, and
validating security
tokens in a
platform-agnostic
manner
An STS is a special
web service that
can issue security
tokens
150 Hints Toward a Solution
that for security reasons it will accept requests only if secured by
a certain WS-Security token, say a SAML-based WS-Security
token containing a certain claim about C. C can ask an STS to
issue the SAML token it needs for calling S. The request is performed
by sending a special kind of message, whose format is
described in WS-Trust, called a Request for Security Token (RST).
The RST contains, among other things, the description of the
kind of token that C is asking the STS to issue. The STS, however,
will not issue tokens to just anybody. Because the SAML
token required must contain a claim about C, the STS must
make sure that is actually C who is requesting the issuance
(read, the RST message is actually coming from C).
Pages:
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259