Security Token Service: Concepts and principles

In a heterogeneous environment, Web services need to authenticate service clients to control their access by using WS-Security (Web Services security). When negotiating trust between service clients and service providers, an authentication broker can provide a common access control infrastructure for a group of applications. Typically, the authentication broker issues signed security tokens which are used by clients to authenticate themselves at the service.

The Security Token Service is a service for providing such an authentication broker. It issues Security Tokens based on the WS-Trust, a standardized specification of Web services based on WS-Security.

This is useful, for example, to establish a trust relationship between a client and a web service, particularly if they are in different security domains. The Security Token Service is used to issue a security token, that is, a collection of claims such as name, role, and authorization code, for the client to access the service. The message receiver only must know the STS certificate for verifying the token signature to get a trusted statement of the authentication information.