Wednesday 22 August 2012

The Security Token Service

With the release of Fuse ESB Enterprise 7.0.1, the Web Services Security Guide (for Apache CXF) has been expanded to cover the Security Token Service (STS).

A full implementation of the STS was recently added to the Apache CXF codebase and this implementation has a highly modular and customisable architecture, as you can see from the following architecture overview:



For example, the token Issue operation can be customised by plugging in a SAMLTokenProvider or an SCTProvider (secure conversation token provider); and the token Validate operation can be customised by plugging in one of the token validators, SAMLTokenValidator, UsernameTokenValidator, X509TokenValidator, or SCTTokenValidator.

The STS implementation has a number of special features, including:

  • Support for embedding Claims data in issued tokens.
  • Support for the AppliesTo policy (which enables you to centralise token issuing requirements).
  • Support for security realms.

These are all described in the new doc, in The Security Token Services chapter.