The configured STS endpoint can be secured with WS-Security settings which can be enforced for the request coming to the STS and the response sent from the STS back to the client.
To enable WS-Security for the client request coming to the STS, click on the Request Security tab and select the checkbox as shown below:
The following WS-Security Request settings can be configured -
Enabling this checkbox will require that the timestamp be present in the WS-Security header in the RST request from the client
Enabling this checkbox will require that the client send a WSS UsernameToken in the request. To authenticate the credentials, the list of allowed usernames and passwords must be specified under the Allowed username token principals table.
To require that the RST request SOAP Body must be signed by the client, select the Require Signed request checkbox and click on the button to open the Truststore selection dialog and choose a public key alias from the list of available keystores.
To require that the RST request SOAP Body must be encrypted by the client, select the Require encrypted SOAP Body checkbox and select the private key alias that should be used to decrypt the encrypted data by clicking on the button.
To enable WS-Security for the RSTR sent by the STS to the client, switch to the Response tab and select the checkbox. The available configuration options are as shown below:
Select the checkbox to add a Timestamp element to the WSS header in the RSTR. The timestamp duration defaults to 5 minutes / 300 seconds.
To sign the RSTR SOAP Body element, select the checkbox, and pick the signing alias by clicking on the button. This brings up the Signing Alias selection dialog that displays all the available keystores. Make sure you that you specify the alias password or select the checkbox to use the keystore password instead.
To encrypt the SOAP Body of the RSTR, select the checkbox and select the public key that corresponds to the client. The Encryption alias dialog is as shown below:
Note that if you select a public key alias that corresponds to a client, then only that specific client can decrypt the RSTR. As an alternative, you can enable the option if the client sends its public key in a certificate in the request after signing the RST SOAP Body. However, this option will only work if the client signs the request and its public key is available either in the request or accessible through the configured truststore (as described in the section Response Signature above)