To setup the STS to issue SAML 2.0 tokens, click on the main STS tab and select the STS Configuration child tab. This brings up the main configuration screen as shown below:
Click on the to make the STS endpoint active. If the checkbox is not checked, the STS endpoint will not be available. Make sure that the button is clicked to activate the changes.
The STS Name value specifies the logical name of the STS. This is a required field and must be specified.
The Token Time-to-live field specifies the duration issued token will be valid. It defaults to 5 minutes or 300 seconds.
The STS must be configured with a valid Keystore and Signing Alias so that the issued token can be signed correctly. To do this click on the button to launch the Available Keystores dialog and select a private key from one of the available keystores as shown below:
Once the Signing alias and Keystore have been selected, they are displayed as shown below in the read-only Signing Alias and KeyStore fields.
The issued SAML token can be encrypted with the public key that corresponds to the Service Provider (Relying Party) to whom the SAML token will be sent as part of a WS request.
To do this, select the checkbox and add an
entry in the Service Providers table by specifying the Provider
Endpoint and the Truststore alias. The Provider
Endpoint value must correspond to the <wst:AppliesTo/> element value
in the WS-Trust RequestSecurityToken (RST) sent to the STS by the token requestor (client).
Note that the Truststore Alias combobox displays the
available public key aliases present in the Signing Keystore selected to sign the
issued token. For e.g. in the example above, the sts.jks keystore
selected as the signing keystore contains one private key: sts
and two public keys: client and service. These
two public keys are displayed in the Truststore Alias
field.
When the RST WS-Trust request arrives at the configured STS, if there is a AppliesTo value that corresponds to one of the Provider Endpoint values specified above, then the chosen public key alias will be used to encrypt the issued token such than only the service provider can decrypt it.