Jiandong Guo

Handling Token and Key requirements at Run Time, Part III: select STS at run time

In general, you may need to supply your own STSIssuedTokenConfiguration in following cases:

1. The client has to go through multiple STS in a trust chain across security domains to
   access the service.


2. The client needs to select the STS and/or to provide token and key parameters to the STS
   at run time, according to which service it tries to access and the requirement from the service.

To create a custom configuration class which extends STSIssuedTokenConfiguration:

1. You may get the targeted service endpoint at run time through
   getOtherOptions().get(STSIssuedTokenCOnfiguration.APPLIES_TO).


2. Similarly, you may get an instance of STSIssuedTokenConfiguration, which captures entries
   from the IssuedToken policy assertion for the targeted service, through
   getOtherOptions().get(STSIssuedTokenCOnfiguration.ISSUED_TOKEN).


3. The entries in the IssuedToken policy and in the client side PreConfiguredSTS take high
   priorities which cannot be override at run time.


4. Different run time entries should be supplied for different services.

To illustrate the usage, we provide a new sample
in Metro. Here is a description of this rather comprehensive sample:

1. There are four parts in the sample: a service, (server side) STS, (client side) MySTS, the client.


2. Service - An IssuedToken policy assertion for the service specifies that an issued
   SAML token from the (server side) STS is required for the client to access the service and
   the issued token should contain Role of the user.


3. STS - An IssuedToken policy assertion for the STS specifies that an issued SAML token
   is required for the client to access the STS but no Issuer (sts endpoint and/or sts mex address)
   and Claims are specified. A custom STSAttributeProvider is used to
   process the SAML assertion and set attributes for the new SAML assertion.


4. Client - the client supplies a run time STSIssuedTokenConfiguration which specifies that,
   for accessing STS, an issued token from MySTS which contains both Role and Locality information
   is required. Check here for the sample configuration class.


5. In this sample, we use call back handlers instead of locations to configure KeyStore and TrustStore
   for both the STS. This gives you the great flexibility for managing certificates and keys at run time.


6. Pay special attention to the classes in the common directory. These classes illustrate how
   you can extend Metro to build custom solutions in various ways.

Posted at 12:31AM Apr 13, 2009 by jiandongg in Sun  |  Comments[13]