Security Token Service Configuration

The Security Token Service provides the following methods as described in the below snippet, which is defined in SecurityTokenService.war/WEB-INF/wsdl/ws-trust-1.4-service.wsdl

<wsdl:service name="SecurityTokenService">
   <wsdl:port name="UT_Port" binding="tns:UT_Binding">
      <soap:address location=
         "http://localhost:8080/SecurityTokenService/UT"/>
   </wsdl:port>
   <wsdl:port name="X509_Port" binding="tns:X509_Binding">
      <soap:address location=
         "http://localhost:8080/SecurityTokenService/X509"/>
   </wsdl:port>
   <wsdl:port name="Transport_Port" binding="tns:Transport_Binding">
      <soap:address location="/Transport"/>
   </wsdl:port>
   <wsdl:port name="UTEncrypted_Port" binding="tns:UTEncrypted_Binding">
      <soap:address location="/UTEncrypted"/>
   </wsdl:port>
</wsdl:service>

As above snippet shows, the Security Token Service can issue (or validate) UserName Token or X509 Token, and so on.

In Talend Runtime Container, the configuration of Security Token Service can be defined in the file <TalendRuntimePath>/etc/org.talend.esb.sts.server.cfg:

stsRESTServiceUrl=/SecurityTokenService
stsServiceUrl=/SecurityTokenService/UT
stsX509ServiceUrl=/SecurityTokenService/X509
stsX509ServiceAsymmetricSignatureAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1
stsX509ServiceSymmetricSignatureAlg=http://www.w3.org/2000/09/xmldsig#hmac-sha1
loginModule=TIDM
jaasContext=karaf
signatureProperties=file:${tesb.home}/etc/keystores/stsKeystore.properties
signatureUsername=mystskey
bspCompliant=false
tidmServiceUrl=http://localhost:9080/syncope/rest/
tidmUsername=${env:TESB_TIDM_USERNAME:-${TESB_TIDM_USERNAME:-admin}}
tidmPassword=${env:TESB_TIDM_PASSWORD:-${TESB_TIDM_PASSWORD}}
useMessageLogging=false
tokenAllowRolesRetrieval=true

# jwt
jwtTokenLifetime=1800
jwtTokenDelegationEnabled=true
jwtTokenDelegationRestrictAudience=false

# saml
samlTokenLifetime=1800
samlTokenDelegationEnabled=true
samlTokenDelegationRestrictAudience=false

By default, Security Token Service is configured to use JAAS interface to verify the user credentials and perform authentication. As shown above, Security Token Service uses karaf JAAS Context which is the default context configured for Talend Runtime Container and uses PropertiesLoginModule of Karaf. This login module uses the file located in /etc/users.properties which contains a list of users and their password, hence the users which are needed to be authenticated via the Security Token Service should be listed here. A different login module can be configured for the Security Token Service by updating the jaasContext parameter in the above configuration. A Talend Runtime Container comes with several login modules that can be used to integrate into your environment, the modules are listed below:

• PropertiesLoginModule
• OsgiConfigLoginModule
• JDBCLoginModule
• LDAPLoginModule

The signatureProperties file, which is located in: /etc/keystores/stsKeystore.properties, defines the signature configuration as shown below:

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.cr
ypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=stsspass
org.apache.ws.security.crypto.merlin.keystore.alias=mystskey
org.apache.ws.security.crypto.merlin.keystore.file=./etc/keystores/stsstore.jks

The keystore file name can be changed by altering its value in the stsKeystore.properties file. With the default configuration as shown above, the Talend Runtime Container will expect the STS' private key to have the alias of mystskey, this can be changed by altering the alias and signatureUsername values in the two configuration files listed above.

The jwtTokenLifetime and samlTokenLifetime properties allows you to set the lifetime of the JWT token and SAML token. The default is 1800 seconds. You can change it as needed.

You can set the tokenAllowRolesRetrieval property to true or false to include or exclude roles in the tokens when requested.

You can enable or disable the OnBehalfOf feature by setting jwtTokenDelegationEnabled to true or false. The OnBehalfOf feature is useful in the scenario that you have a set of uses in your own system and want to exchange tokens generated in your system with Talend Runtime STS.