10-64 Oracle Fusion Middleware Security and Administrators Guide for Web Services ■ Overview of Sender Vouches in WS-Trust on page 10-69 How the STS Configuration is Obtained Typically, your environment will have only one STS. If you have a hundred different Web services, all of which have attached this STS config policy, you can easily change all of your Web services to point to a different STS by changing the policy. The STS is also a Web service. To communicate with the STS, the client application needs to know the STS details, such as the port-uri, port-endpoint, wsdl-uri, and the security tokens it can accept from clients trying to authenticate to it. There are two mechanisms by which STS information becomes available to the client. ■ Automatic Client STS Policy Configuration see Setting Up Automatic Policy Configuration for STS on page 10-69 is involved. Automatic Policy Configuration dynamically generates the information about the STS by parsing the STS WSDL document. Automatic Policy Configuration is triggered when the STS config policy is attached to the Web service and not the client. Additionally, the only information provided in the STS config policy is the port-uri of the target STS. When this policy is attached to the Web service along with the issued token service policy, the port-uri of the STS appears as the Issuer-Address in the IssuedToken assertion of the Web service WSDL. As a result, all the other STS information target namespace, service name, endpoint, and so forth is obtained by accessing the STS WSDL and is saved in memory as the STS config. This information is stored only in memory and is not persisted in the Oracle WSM repository. For details about the repository, see Chapter 17, Maintaining the Oracle WSM Repository. If you specify the STS URI in the Web service STS config policy and attach it to the Web service, the client is forced to use that STS; it cannot override it. ■ You do not use Automatic Policy Configuration and instead attach the STS config policy to the client and specify all the STS-related information port-endpoint, port-uri, public key alias, a reference to an Oracle WSM client policy to be used for authenticating to the STS before invoking the Web service. In this case, all the information is already available to the run time from the STS config policy. Typical Token Request and Response The general token requestresponse process works as follows. These steps are explained further in the use case described in Example WS-Trust Use Case on page 10-65. 1. The Web service client wants to invoke a Web service. The Oracle WSM agent attempts to fetch the WSDL of the Web service and extract the issued token service policy. The Oracle WSM agent uses the local client policy as optionally overridden to talk to the STS identified in the WSDL. The Web service policy can require the issued token to be from a specific STS. 2. The Web service client requests that the STS issue a token. The Web service client can request the token from a specific STS. The Request Security Token RST is a request for a security token. The RequestSecurityTokenResponse RSTR is a response generated by the STS in response to the RST with claims for the requested user.