Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/deshankoswatte/sample-sts-client

Client which invokes the WSO2 Identity Server to test Security Token Service. Currently this supports testing for ws-trust (active STS). For more information refer https://is.docs.wso2.com/en/latest/learn/identity-federation-with-ws-trust/.
https://github.com/deshankoswatte/sample-sts-client

Last synced: 26 days ago
JSON representation

Host: GitHub
URL: https://github.com/deshankoswatte/sample-sts-client
Owner: deshankoswatte
License: apache-2.0
Created: 2020-02-09T08:49:53.000Z (almost 5 years ago)
Default Branch: master
Last Pushed: 2021-08-16T08:05:53.000Z (over 3 years ago)
Last Synced: 2024-12-19T17:07:09.148Z (about 1 month ago)
Language: Java
Homepage:
Size: 123 KB
Stars: 0
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# ws-trust-client

# Configuring WS-Trust Security Token Service

WSO2 Identity Server uses the security token service (STS) as the
[WS-Trust](https://is.docs.wso2.com/en/latest/learn/ws-trust) implementation. The STS is capable of issuing SAML 1.1 and
2.0 security tokens and has a SOAP/XML API for token issuance. This API can be secured with the
` UserNameToken ` or with any other WS-Security mechanism as explained below.

#### Securing the Security Token Service

According to the Trust Brokering model defined in the WS-Trust specification, the users should authenticate themselves
to the STS before obtaining a token. STS may use this authentication information when constructing the security token.
For example, STS may populate the required claims based on the user name provided by the subject. Therefore, the STS
service needs to be secured.

STS is configured under the **Resident Identity Provider** section of the WSO2 Identity
Server [Management Console](https://is.docs.wso2.com/en/latest/setup/getting-started-with-the-management-console).

To secure the Security Token Service:

1. On the **Main** tab, click **Identity \> Identity Providers \> Resident**.

2. Enter the required values as given below.

Field
Description
Sample Value

Home Realm Identifier
This is the domain name of the identity provider. If you do not enter a value here, when an authentication request comes to WSO2 Identity Server, a user will be prompted to specify a domain. You can enter multiple identifiers as a comma-separated list.
localhost

Idle Session Time Out
This is the duration in minutes for which an SSO session can be idle for. If WSO2 Identity Server does not receive any SSO authentication requests for the given duration, a session time out occurs. The default value is 15 .
15

Remember Me Period

This is the duration in weeks for which WSO2 Identity Server should remember an SSO session given that the Remember Me option is selected in the WSO2 Identity Server login screen.

The default value is 2 weeks.

2

3. Under the **Inbound Authentication Configuration** section, click
**Security Token Service Configuration \> Apply Security Policy**
.
4. Select **Yes** in the **Enable Security?** drop down and select a pre-configured security scenario according to your
requirements. For this tutorial, use **UsernameToken** under the **Basic Scenarios**
section.

5. Click **Next**. The user domain and user group selection appears.

6. Provide the required details as follows:
1. Select **ALL-USER-STORE-DOMAINS**.
2. Select the role you created to grant permission to access secured service. In this example, the admin role is
used. Next, click **Finish**.

7. Click **Finish**.

8. Click **Ok** on the confirmation dialog window that appears.

9. Click **Update** to complete the process.

Now STS is configured and secured with a username and password. Only users with the Admin role can consume the service.

The next step is to add a service provider to consume the STS.

#### Adding a service provider for the STS client

!!! Tip "Before you begin"
You must first
[register a service provider](https://is.docs.wso2.com/en/latest/learn/adding-and-configuring-a-service-provider/#adding-a-service-provider)
.

To register a service provider:

1. Sign in to WSO2 Identity Server Management Console as an admin.
2. On the Main menu, click **Identity** > **Service Providers** > **Add**.
3. Enter a service provider name.
4. Click Register. The Service Provider Details page appears.

1. Under the **Inbound Authentication Configuration** section, click
**WS-Trust Security Token Service Configuration** **\>**
**Configure**. The STS Configuration page appears.

2. Enter the required details as given below.

Field
Description
Sample Value

Endpoint Address

Enter the trusted relying party's endpoint address, which is the endpoint address of the Security Token Service.

The endpoint must be used as the service URL to which the token gets delivered by the STS client. Then select the public certificate imported. Tokens issued are encrypted using the public certificate of the trusted relying party. Therefore, the consumer who obtains this token, to invoke the RP service, will not be able to see the token.

Note

Make sure to upload the certificate of the relying party to the truststore. For instructions, see Adding CA-signed certificates to keystores.

https://localhost:9444/services/echo

Certificate Alias
This is the alias of the certificate.
wso2carbon

3. Click **Update** to save the changes made to the service provider.

#### Running the client

1. Open the client and run `mvn clean install` on the root folder.

2. Run the
command `java -cp ws-trust-client/target/ws-trust-client-1.0-SNAPSHOT.jar org.wso2.samples.is.sts.wstrust.client.Client`
.

3. You will see the requests sent to the STS and the responses received.