The Security Token Service provides the following methods as described in the below snippet, which is defined in SecurityTokenService.war/WEB-INF/wsdl/ws-trust-1.4-service.wsdl
<wsdl:service name="SecurityTokenService">
<wsdl:port name="UT_Port" binding="tns:UT_Binding">
<soap:address location=
"http://localhost:8080/SecurityTokenService/UT"/>
</wsdl:port>
<wsdl:port name="X509_Port" binding="tns:X509_Binding">
<soap:address location=
"http://localhost:8080/SecurityTokenService/X509"/>
</wsdl:port>
<wsdl:port name="Transport_Port" binding="tns:Transport_Binding">
<soap:address location="/Transport"/>
</wsdl:port>
<wsdl:port name="UTEncrypted_Port" binding="tns:UTEncrypted_Binding">
<soap:address location="/UTEncrypted"/>
</wsdl:port>
</wsdl:service>
As above snippet shows, the Security Token Service can issue (or validate) UserName Token or X509 Token, and so on.
In Talend Runtime Container, the configuration of Security Token Service can be defined in the file <TalendRuntimePath>/etc/org.talend.esb.sts.server.cfg:
stsServiceUrl=/SecurityTokenService/UT
stsX509ServiceUrl=/SecurityTokenService/X509
loginModule=TIDM
jaasContext=karaf
signatureProperties=file:${tesb.home}/etc/keystores/stsKeystore.properties
signatureUsername=mystskey
bspCompliant=false
tidmServiceUrl=http://localhost:8080/syncope/cxf/
tidmUsername=${env:TESB_TIDM_USERNAME:-${TESB_TIDM_USERNAME:-admin}}
tidmPassword=${env:TESB_TIDM_PASSWORD:-${TESB_TIDM_PASSWORD}}
useMessageLogging=false
samlTokenLifetime=1800
By default, Security Token Service is
configured to use JAAS interface to verify the user credentials and perform
authentication. As shown above, Security Token Service uses karaf
JAAS Context which is the default
context configured for Talend Runtime Container and uses PropertiesLoginModule
of Karaf. This
login module uses the file located in /etc/users.properties which
contains a list of users and their password, hence the users which are needed to be
authenticated via the Security Token Service
should be listed here. A different login module can be configured for the Security Token Service by updating the
jaasContext
parameter in the above configuration. A Talend Runtime Container comes with several login
modules that can be used to integrate into your environment, the modules are listed
below:
- PropertiesLoginModule
- OsgiConfigLoginModule
- JDBCLoginModule
- LDAPLoginModule
The signatureProperties file, which is located in: /etc/keystores/stsKeystore.properties, defines the signature configuration as shown below:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.cr
ypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=stsspass
org.apache.ws.security.crypto.merlin.keystore.alias=mystskey
org.apache.ws.security.crypto.merlin.keystore.file=./etc/keystores/stsstore.jks
The keystore file name can be changed by altering its value in the
stsKeystore.properties file. With the default configuration as
shown above, the Talend Runtime Container
will expect the STS' private key to have the alias of mystskey
,
this can be changed by altering the alias
and
signatureUsername
values in the two configuration files listed
above.
The samlTokenLifetime
property in the
<TalendRuntimePath>/etc/org.talend.esb.sts.server.cfg file
allows you to set the lifetime of the SAML token. The default is 1800 seconds. You can
change it as needed.