OpenSSO Secure Token Service
By dr156914 on Nov 02, 2007
Last week I attended Catalyst Europe in Barcelona. It was a great conference and there was a lot of focus on access and federation, which made me very happy. One of the events we participated in was an OSIS interoperability event. The goal of the interop was to demonstrate interoperability with Microsoft Cardspace. For us, the true benefit of the session was to demonstrate our Secure Token Service, which is available in OpenSSO and will be released in Federated Access Manager 8.0.
A Secure Token Service is a foundational component to an organizations web services security infrastructure. The STS answers the question how does a Web service verify the credentials presented by a web services client? The STS verifies the credentials presented by a web services client, and then in response, it issues a security token that provides proof that the client has authenticated with the STS. The client presents the security token to the Web service, which then verifies that the token was issued by a trusted STS, which proves that the client has successfully authenticated with the STS. A key benefit of an STS is it can do token translation based on the security policy of the web services client and web services provider (e.g. -- request is issued in SAML 1.1 and translated to SAML 2.0).
Below are a few screenshots from the interop providing a flavor for our STS capability in OpenSSO.
1. The first step of the demonstration shows a user logging in to OpenSSO configured as a Managed Card provider.
2. Te user enters their credentials and the Managed Card Provider generates an information card that can be saved to the desktop.
3. The users saves the information card to their desktop.
4. The user uploads / imports the saved Managed card (InfoCard) into Windows CardSpace.
6. The Sun OpenSSO Test Card for TestUser shows the OpenSSO STS end point under the Card ID field.
7. The user goes to the xmldap service provider to login with the OpenSSO Test Card.
8. The user select the "Login with an Infocard" link and selects the OpenSSO Test Card.
9. The user enters password and sends a WS-Trust request to OpenSSO STS.