Monday, January 19, 2015

How WS-Trust STS works in WSO2 Identity Server.


WS-Trust STS (Secure Token Service) provides the facility for  secure communication between web service client and server.




Benefits of WS-Trust STS

1. Identity delegation.
2. Service consumers should not be worried about the token specific implementation/knowledge.
3. Secure communication across  the web services.

Work flow.

1. Service client provides credentials to STS and request a security token (RST - Request Security Token).

2. STS validates the client credentials and reply with security token (SAML) to the client (RSTR -Request Security Token Reply).

3. Client invoke the web service along with the token.

4. Web service validates the  token from the STS.

5. STS send the decision to the web service.

6. If the token is valid web service allow to access the protected resource(s).

Use Case

Invoke a secured  web service  (Hosted in WSO2 Application Server) using the secure token issued by WSO2 Identity Server.

1. Download the latest version of WSO2 AS (5.2.1) and WSO2 Identity Server(5.0.0).
2. In AS,  change the port offSet value in carbon.xml to 1 (default 0).
3. Start both servers.
4. The "HelloService" sample web service which is already deployed in AS.

 
 5. Once you chick on the "HelloService" name, you should see the service endpoints.



6. In this use case we are going to use the "wso2carbon-sts" service of the Identity Server for issuing and validating tokens. Therefore Identity server act as the "Identity Provider". So we need to configure the Resident Identity Provider" first.

7. Go to Home ---> Identity -----> Identity Provider -----> List, then  click on "Resident Identity Provide" link.

8. Add a name for the resident Identity provider. (Eg: "WSO2IdentityProvider")


9. Expand the "WS-Trust / WS-Federation (Passive) Configuration". Now you should see the "wso2carbon-sts" endpoint.


10. Click on the "Apply Security Policy" link and enable the security. Then select the security scenario which is need to be applied for the wso2carbon-sts service. (Eg: select UsernameToken). Once you select the security scenario, the relevant policy will be applied automatically to the "wso2carbon-sts" service.




 10. Select the user group(s) which is allowed to access the "wso2carbon-service" for requesting  tokens.


11. Click on the "wso2carbon-sts" service link, now you should  see the wsdl including the applied policy.

https://localhost:9443/services/wso2carbon-sts





12.To add a service provider for web service client , enter name (eg : HelloServiceProvider) for the new service provider and update.




13. Edit the "HelloServiceProvider" and configure the web service.







14. Apply the security for the "HelloService" deployed in AS.


15. Select the  "Non-Repudiation" as the security scenario.

   Bellow image is captured from Identity Server product.




16. Now  "HelloService" WSDL should have the applied policy.


17. Download the sts-client project from following git repository location.
(This is same sample which is included in the WSO2 Identity Server  project and did few changes for this use case).

git : https://github.com/ajithnv/blog_resources/tree/master/sts-client


18 README of the sts-client project describes how to execute the client.


(The underline values should be changed according to your environment.)

19. The key store of the web service client  should have the public certificate of the STS and AS. Therefore it used the wso2carbon.jks which is already using in ESB and AS.

20 You can enable the soap tracer to capture the request and reply of each servers.