A typical scenario for WS-Trust is when the client requires a particular security token from an STS to access a service provider. The service provider can let the client know what the requirements are for the security token in an IssuedToken policy embedded in the WSDL of the service. In particular, the service provider can advertise the claims that the security token must contain in the policy (either directly as a child element of IssuedToken, or else as part of the RequestSecurityTokenTemplate). An example is contained in the STS systests:
<sp:RequestSecurityTokenTemplate> <t:TokenType>http://...#SAMLV1.1</t:TokenType> <t:KeyType>http://.../PublicKey</t:KeyType> <t:Claims Dialect="http://.../identity"> <ic:ClaimType Uri="http://.../claims/role"/> </t:Claims> </sp:RequestSecurityTokenTemplate>
This template specifies that a SAML 1.1 Assertion is required with an embedded X509 Certificate in the subject of the Assertion. The issued Assertion must also contain a "role" claim. The template is sent verbatim by the client to the STS when requesting a security token.