Security across all domains

Interoperability has historically been a major obstacle to security and identity management. Large organizations must knit together systems which use X.509 certificates, SAML, and Kerberos. A Security Token Service (STS) addresses this interoperability problem by providing a standards-based method of converting security tokens across different formats.

An STS is used to issue security tokens and to convert security tokens from one format to another. The security tokens created by an STS are then bound to the messages travelling within a Services Oriented Architecture (SOA).

Security Context
With an STS in place, an organization can bridge security domains by converting security tokens from one format to another, for example to convert X.509 Certificates to SAML Assertions and vice versa. An STS may be used to issue SAML tokens which include information about the end user, such as their identity and their group memberships. This information, embedded in the SAML token, is then bound to XML messages which are sent to Web Services. This allows a security policy at the Web Service to make an access control decision based on the end user's identity and based on their group membership. Because the STS has already gathered together the user's attributes, the code at the Web Service endpoint does not have to connect to directories or databases to receive this information.

Privacy
An STS also enables some important privacy Use Cases, because it allows for only the user's entitlements, not their actual identity, to flow with messages, which allows for fine-grained authorization without the requirement to actually embed the user's identity into messages.

Vordel STS Solution
Vordel's STS is a natural extension of the Vordel product line. Optimized for performance, the STS solution includes inherent load-balancing and failover to avoid STS presenting a single point of failure in the network.

Vordel has had WS-Trust frameworks in production with customers since 2005 and the Security Token Service is provided as a built-in component of the XML Networking products, including the Vordel XML Firewall and Vordel XML Gateway.