Security Token Service (STS)


The Security Token Service (STS) is a partial implementation of the OASIS WS-Trust specification. It is a SOAP service that provides a secure means for exchanging security tokens of one type (e.g. username/password, SAML assertion, X.509 certificate, ...) for security tokens of another type. Additionally the STS may renew, validate, or cancel those tokens for which such functionality is appropriate.

Initial Implementation

The initial implementation of the STS will focus on a subset of all the possible functionality outlined with the WS-Trust specification. Specifically it will implement the issuance of SAML 2 assertions, X.509 end-entity certificates, and X.509 proxy certificates based on the username/password, SAML 2 assertions, kerberos tickets, and X.509 end-entity or proxy certificates as user authentication mechanisms.

The initial implementation will not support the renewal, cancellation, or validation functionality, nor it will support all possible key and token parameter extensions.

Implementation Workplan

The workplan for the implementation of the STS is here

Identity Provider (IdP) Integration

The STS can be implemented as an extension of the Shibboleth Identity Provider.

The WS-Trust Profile Handler accepts the request, processes it, and forms the reponse. The Authentication Engine authenticates a user using the security token present in the request. The Attribute Authority provides attributes, from any number of sources, about the authenticated user. The Token Authority creates a new token, for the authenticated user, based on the collected attributes.


WS-Trust Profile Handler

The WS-Trust Profile Handler processes the incoming WS-Trust SOAP request. It is responsible for the work flow between the different components.

  1. Unmarshal the incoming SOAP request
  2. Extract the WS-Trust elements from the SOAP request and update the request context
  3. Validate the message
  4. Pass the request context to the Authentication Engine for user credentials validation
  5. Pass the request context to the Attribute Authority to resolve user attributes
  6. Pass the request context to the Token Authority to issue the requested token
  7. Create the WS-Trust response
  8. Marshal the SOAP response

Authentication Engine

Attribute Authority

Token Authority

X.509 Token

Proxy Token

SAML Token



Subversion Information

The STS code is stored in the CERN subversion server.

  • WebSVN View:
  • Anonymous, public, SVN URL:
  • Developer, registered, SVN URL:
    • svn+ssh:// (faster)
Edit | Attach | Watch | Print version | History: r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r1 - 2010-07-08 - ValeryTschoppExCern
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EMI All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback