A web service is an application that exposes some type of business or infrastructure functionality though a callable interface that is both language-neutral and platform-independent. The Web Services Security is widely available via two major specifications – WS-Security and Liberty ID-WSF Security. WS-Security specification is developed by the OASIS Security Committee and it is developed along with other WS-\* specifications such as WS-Trust, WS-Policy. Web Services Trust Language (WS-Trust) uses the secure messaging mechanisms of WS-Security to define additional primitives and extensions for security token exchange to enable the issuance and dissemination of credentials within different trust domains.
WS-Trust defines mechanisms for delegating authentication, authorization and user identity mapping/management to an authority called Security Token Service (STS) for a requestor to access a Web Service.
OpenSSO Enterprise implements security for web services as well as a Security Token Service to issue and validate security tokens to any third party clients.
This presentation gives an overview about Web Service Security and OpenSSO STS architecture.