Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

Oracle Security Token Service 11g R2

An Oracle White Paper
July 2012
Oracle Security Token Service 11g R2
Frequently Asked Questions
Disclaimer
The following is intended to outline our general product direction. It is intended for information
purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality described for Oracle’s products
remains at the sole discretion of Oracle.
What is Oracle Security Token Service? ........................................................................................................ 4
What are the primary usage scenarios of Oracle STS? ................................................................................. 4
How is Oracle STS packaged and licensed? ................................................................................................... 5
What is the role of the WS-Trust protocol relative to Oracle STS? .............................................................. 5
What WS-Trust clients are supported by Oracle STS? .................................................................................. 5
What features are supported by the WS-Trust provider in OWSM? ............................................................ 5
How does the OWSM WS-Trust provider interact with Oracle STS? ........................................................... 5
Which WS-Trust policies are available to Oracle STS? .................................................................................. 6
Can Oracle STS interop with third party clients such as .Net? ....................................................................... 6
How does Oracle STS Oracle compare to OpenSSO STS? .............................................................................. 6
What are the different token types supported by Oracle STS? .................................................................... 7
Does Oracle STS support OAM tokens as an inbound token? ...................................................................... 7
What is Oracle Security Token Service?
Oracle Security Token Service (STS) is the next generation token service from Oracle, designed to facilitate identity
propagation across web services.
What are the primary usage scenarios of Oracle STS?
Web-to-Web Service Identity Propagation
In this scenario a user’s identity information needs to be propagated from a web application to a web service
provider. The web service provider could reside in the same security domain as the web application or in a
different security domain altogether.
Web Service-to-Web Service Token Exchange
In this scenario a user is authenticated into a domain using a certain type of credentials, for example
username/password, X.509 certificate or Kerberos. However, in order for the user to access or
communicate with a web service provider, a SAML token is required. In cases such as this, Oracle STS
can facilitate token exchange from one standard token format to another (e.g., SAML 1.x or SAML 2.0).
Once again, the web service provider could reside in the same or different security domain as the web
service consumer.
How is Oracle STS packaged and licensed?
Oracle STS is a core service of the Oracle Access Management platform. While installation and management are
accomplished through unified installers and admin consoles, respectively, Oracle STS is able to used either in
conjunction with Access Manager or as a standalone solution.
What is the role of the WS-Trust protocol relative to Oracle STS?
WS-Trust is the protocol that is used for communicating with an Oracle STS server. WS-Trust defines:



The concept of a “security token service”
The message formats used to request and issue security tokens
The mechanisms for key exchange
What WS-Trust clients are supported by Oracle STS?
The Oracle Web Services Manager (OWSM) agent, beginning with the 11g PS3 release, supports WS-Trust-based
interaction with Oracle STS.
What features are supported by the WS-Trust provider in OWSM?
The OWSM WS-Trust provider enables:
•
•
•
Requesting an issue token from Oracle STS
Verifying and processing the Oracle STS-issued token on the service side and generating responses
Configuring the client or service policy to request tokens from a specific Oracle STS instance
How does the OWSM WS-Trust provider interact with Oracle STS?
When OWSM is leveraged as a WS-Trust client for Oracle STS, the OWSM WS-Trust provider is used to send
WS-Trust requests to Oracle STS. Once OWSM receives a WS-Trust response from Oracle STS, that response is
then propagated to the Web Service.
OWSM WS-Trust client supports two primary use cases with Oracle STS:
1) Token exchange/conversion

OWSM Trust client enables users to exchange basic tokens (requestor tokens) for SAML Tokens
(generated by Oracle STS)
2) Token exchange on behalf of an entity

The client has the ability to request a token for itself (subject in the request) or On Behalf Of
(OBO) another entity (can be configured in the Issue-Token Client Policy)
Which WS-Trust policies are available to Oracle STS?
By default, there are two OWSM policies available to support Oracle STS token exchange with a web service
endpoint:
1. STS configuration policies
 oracle/sts_trust_config_client_policy
 oracle/sts_trust_config_service_policy
2. Issue-Token Policies
 oracle/ wss11_sts_issued_saml_hok_with_message_protection_client_policy
 oracle/ wss11_sts_issued_saml_hok_with_message_protection_service_policy
 oracle/ wss11_sts_issued_saml_with_message_protection_client_policy
 oracle/ wss_sts_issued_saml_bearer_token_over_ssl_client_policy*
 oracle/ wss_sts_issued_saml_bearer_token_over_ssl_service_policy*
*Note: One-way SSL needs to be enabled in order to use the saml_bearer issue-token policies.
Can Oracle STS interop with third party clients such as .Net?
Yes, interoperability with third party WS-Trust clients is supported provided they support the same WS-Trust version.
Additionally, Oracle STS has been officially certified to interoperate with Microsoft ADFS.
How does Oracle STS Oracle compare to OpenSSO STS?
Feature
OpenSSO STS
OSTS
WS-Trust versions 1.0/1.2, 1.3
Yes
Yes
SOAP versions 1.1, 1.2
Yes
Yes
Inbound tokens – Requester:
Username, Kerberos, X.509, SAML 1.1, SAML 2.0
Yes
Yes
Yes (plus X.509, Kerberos)
Inbound tokens – OnBehalfOf: Username, SAML 1.1, SAML 2.0
Yes
Outbound tokens: Username, SAML 1.1 & 2.0
Yes
Yes
Token operations: Issue, Validate
Yes
Yes
Username token/nonce replay prevention
Yes
Yes
WS-Secure Conversation
No
No
Yes (IdRepo)
Yes (OVD)
Yes
Yes (ODL/EM)
Yes
No
WLS, GF
WLS
Multiple user attribute source
support
Logging to RDBMS
Logging to signed files
Application server support
What are the different token types supported by Oracle STS?
The following token types are supported token by Oracle STS for web service consumers:




Username
Kerberos
X.509
SAML 1.1 or 2.0 assertions
Token support matrix:
"On Behalf Of"
(end user's tokens)
Consumer




UserName token
X509 token
Kerberos token
SAML 1.1 and 2.0 tokens







UserName token with password
UserName token no password
X.509
Kerberos
SAML 1.1 / 2.0
OAM Session Propagation token
Custom token
Output Token




Username token
SAML 1.1 token
SAML 2.0 token
Custom token
Does Oracle STS support OAM tokens as an inbound token?
Yes, Oracle STS supports OAM 11g session token as an "On Behalf Of" (OBO) token for the end user and can
translate this as a SAML or UNT outbound token.
Oracle Security Token Service 11g R2
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
July 2012
Author: Robert Zare
This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not
warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this
document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.
U.S.A.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective
Worldwide Inquiries:
AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. Intel and
Phone: +1.650.506.7000
Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or
Fax: +1.650.506.7200
registered trademarks of SPARC International, Inc. UNIX is a registered trademark licensed through X/Open Company, Ltd. 0410
owners.
oracle.com
Related documents
CB Mini Presentation
CB Mini Presentation
Steps to create a new user account for My Oracle Support: Each
Steps to create a new user account for My Oracle Support: Each
For More Information Please Review Our PPT
For More Information Please Review Our PPT
Download