Security token service (STS) is a cross-platform open standard core component of the OASIS group's WS-Trust web services single sign-on infrastructure framework specification.cf.[1][2] Within that claims-based identity framework, a secure token service is responsible for issuing, validating, renewing and cancelling security tokens. The tokens issued by security token services can then be used to identify the holder of the token to services that adhere to the WS-Trust standard. Security token service provides the same functionality as OpenID, but unlike OpenID is not patent encumbered. Together with the rest of the WS-Trust standard, the security token service specification was initially developed by employees of IBM, Microsoft, Nortel and VeriSign.
In a typical usage scenario involving a web service that employs WS-Trust, when a client requests access to an application, the application does not authenticate the client directly (for instance, by validating the client's login credentials against an internal database).[3] Instead, the application redirects the client to a security token service, which in turn authenticates the client and grants it a security token. The token consists of a set of XML data records that include multiple elements regarding the identity and group membership of the client, as well as information regarding the lifetime of the token and the issuer of the token. The token is protected from manipulation with strong cryptography. The client then presents the token to an application to gain access to the resources provided by the application. This process is illustrated in the Security Assertion Markup Language (SAML) use case, demonstrating how single sign-on can be used to access web services.
Software that provides security token services is available from numerous vendors, including the open-source Apache CXF, as well as closed-source solutions from Oracle (for interfacing with authentication services backed by an Oracle Database) and Microsoft (where STS is a core component of Windows Identity Foundation and Active Directory Federation Services). While security token services are themselves typically offered as web services used in conjunction with other web services, software development kits (SDKs) for native applications (such as cloud-storage clients) also exist.[4]
^Nadalin, Anthony; Goodner, Marc; Turner, David; Barbir, Abbie; Ganquist, Hans, eds. (1 February 2008), "Security Token Service Framework", WS-Trust 1.4, Burlington, MA: OASIS.
^"Security Token Service". Microsoft Developer Network. Retrieved 2014-05-15.
Securitytokenservice (STS) is a cross-platform open standard core component of the OASIS group's WS-Trust web services single sign-on infrastructure...
In computer systems, an access token contains the security credentials for a login session and identifies the user, the user's groups, the user's privileges...
discontinued brand name for a set of web services and software products developed by Microsoft as part of its software-as-a-service platform. Chief components under...
A securitytoken offering (STO) / tokenized IPO is a type of public offering in which tokenized digital securities, known as securitytokens, are sold...
JSON Web Token (JWT, suggested pronunciation /dʒɒt/, same as the word "jot") is a proposed Internet standard for creating data with optional signature...
“claims-based applications”. Web applications and services can both be RPs. With a SecurityTokenService (STS), the RP redirects clients to an STS which...
Token Binding is a proposed standard for a Transport Layer Security (TLS) extension that aims to increase TLS security by using cryptographic certificates...
message security. After the exchange of some number of tokens, the GSSAPI implementations at both ends inform their local application that a security context...
applications. It provides APIs for building ASP.NET or WCF based securitytokenservices as well as tools for building claims-aware and federation capable...
Token money, or token, is a form of money that has a lesser intrinsic value compared to its face value. Token money is anything that is accepted as money...
card and provide a SecurityTokenService (STS) which handles WS-Trust requests and returns an appropriate encrypted and signed token. During the 2000s...
responsibilities, the agency has a co-located organization called the Central SecurityService (CSS), which facilitates cooperation between the NSA and other U.S...
self-issued) information cards. Provides a local securitytokenservice that is used to issue the securitytokens for personal i-cards. Provides a user interface...
The Titan Security Key is a FIDO-compliant securitytoken developed by Google which contains the Titan M cryptoprocessor which is also developed by Google...
provides services for coupling tokenization (data security), encryption, and key management for ensuring secure data. It specializes in the tokenization (data...
RSA suffered a security breach and its most valuable secrets were leaked, compromising the security of all existing RSA SecurID tokens. In 2011, RSA introduced...
service-specific SID added to the access token of the service host process. The purpose of Service SIDs is to allow permissions for a single service to...