Handling Token and Key requirements at Run Time, Part III: select STS at run time
By Jiandong Guo on Apr 12, 2009
In general, you may need to supply your own STSIssuedTokenConfiguration in following cases:
- The client has to go through multiple STS in a trust chain across security domains to
access the service.
- The client needs to select the STS and/or to provide token and key parameters to the STS
at run time, according to which service it tries to access and the requirement from the service.
To create a custom configuration class which extends STSIssuedTokenConfiguration:
- You may get the targeted service endpoint at run time through
- Similarly, you may get an instance of STSIssuedTokenConfiguration, which captures entries
from the IssuedToken policy assertion for the targeted service, through
- The entries in the IssuedToken policy and in the client side PreConfiguredSTS take high
priorities which cannot be override at run time.
- Different run time entries should be supplied for different services.
To illustrate the usage, we provide a new sample
in Metro. Here is a description of this rather comprehensive sample:
- There are four parts in the sample: a service, (server side) STS, (client side) MySTS, the client.
- Service - An IssuedToken policy assertion for the service specifies that an issued
SAML token from the (server side) STS is required for the client to access the service and
the issued token should contain Role of the user.
- STS - An IssuedToken policy assertion for the STS specifies that an issued SAML token
is required for the client to access the STS but no Issuer (sts endpoint and/or sts mex address)
and Claims are specified. A custom STSAttributeProvider is used to
process the SAML assertion and set attributes for the new SAML assertion.
- Client - the client supplies a run time STSIssuedTokenConfiguration which specifies that,
for accessing STS, an issued token from MySTS which contains both Role and Locality information
is required. Check here for the sample configuration class.
- In this sample, we use call back handlers instead of locations to configure KeyStore and TrustStore
for both the STS. This gives you the great flexibility for managing certificates and keys at run time.
- Pay special attention to the classes in the common directory. These classes illustrate how
you can extend Metro to build custom solutions in various ways.