To setup the STS to issue SAML 2.0 tokens, click on the main STS tab and select the STS Configuration child tab. This brings up the main configuration screen as shown below:


Click on the Activate Endpoint to make the STS endpoint active. If the checkbox is not checked, the STS endpoint will not be available. Make sure that the Save button is clicked to activate the changes.

The STS Name value specifies the logical name of the STS. This is a required field and must be specified.

The Token Time-to-live field specifies the duration issued token will be valid. It defaults to 5 minutes or 300 seconds.

Signing the issued SAML token

The STS must be configured with a valid Keystore and Signing Alias so that the issued token can be signed correctly. To do this click on the Select Keystore and Signing Alias button to launch the Available Keystores dialog and select a private key from one of the available keystores as shown below:


Once the Signing alias and Keystore have been selected, they are displayed as shown below in the read-only Signing Alias and KeyStore fields.


Encrypting the SAML token for the targeted Service Provider

The issued SAML token can be encrypted with the public key that corresponds to the Service Provider (Relying Party) to whom the SAML token will be sent as part of a WS request.

To do this, select the Encrypt Token? checkbox and add an entry in the Service Providers table by specifying the Provider Endpoint and the Truststore alias. The Provider Endpoint value must correspond to the <wst:AppliesTo/> element value in the WS-Trust RequestSecurityToken (RST) sent to the STS by the token requestor (client).


Note that the Truststore Alias combobox displays the available public key aliases present in the Signing Keystore selected to sign the issued token. For e.g. in the example above, the sts.jks keystore selected as the signing keystore contains one private key: sts and two public keys: client and service. These two public keys are displayed in the Truststore Alias field.

When the RST WS-Trust request arrives at the configured STS, if there is a AppliesTo value that corresponds to one of the Provider Endpoint values specified above, then the chosen public key alias will be used to encrypt the issued token such than only the service provider can decrypt it.

loading table of contents...