StarterSTS Documentation

Security policy and settings (starterSTS.config)

starterSTS.config defines the overall security policy of the STS as well as the available endpoints.

<starterSTS xmlns=http://www.thinktecture.com/configuration/startersts
            siteName="thinktecture Security Token Service Starter Sample"
            issuerUri=http://sample.thinktecture.com/trust
            issuerContactEmail=identity@thinktecture.com
            claimsBaseUri=http://sample.thinktecture.com/claims
            requireEncryption="true"
            requireSsl="true"
            requireLoginConfirmation="false"
            requireReplyToWithinRealm="true"
            allowKnownRealmsOnly="true"
            enableClientCertificates="true">
  <endpoints wsTrustMixed="true"
             wsTrustMessage="true"
             wsFedMex="true"
             simpleHttp="true"
             openIdBridge="true" />
</starterSTS>

General configuration settings

• siteName
  Display name of the STS. This value is used in the web UI and federation metadata.
• issuerUri
  URI that identifies the STS. This value is embedded in the generated SAML tokens and is often used by downstream consumers (relying parties or chained token services) to identity the STS.
• issuerContactEmail
  Contact email for the STS. This value gets embedded in the federation metadata and information cards.
• claimsBaseUri
  Claims generated from the Profile store will get prefixed with this URI.
• requireEncryption
  Specifies whether all generated tokens must be encrypted. Generally it is recommended that all token are encrypted - but there are situations where the relying party does not support this. In this case this switch must be set to false. You can still configure encryption on a relying party basis.
• requireSSL
  This value specifies whether tokens must be transmitted over SSL. This setting is only relevant for passive (web browser) scenarios.
• requireLoginConfirmation
  When set to true, StarterSTS will generate a confirmation screen before a token gets transmitted to the relying party. This makes single-sign-on less transparent, and the stop screen makes it harder for CSRF attacks to suceed. This applies to browsed based clients only.
• requireReplyToWithinRealm
  When set to true, the WS-Federation replyTo parameter must point to a URL that is "inside" the specified realm (like a sub page or virtual directory).
• allowKnownRealmsOnly
  When set to true, StarterSTS will only issue tokens for realms that are registered in relyingParty.config.
• enableClientCertificates
  When set to true, the WS-Trust endpoints and the passive sigin page will support client certificate based authentication.

Endpoint configuration

• wsTrustMixed
  When set to true, the WS-Trust mixed mode endpoints are enabled.
  ~/users/issue.svc/mixed/username and ~/users/issue.svc/mixed/certificate (when enabled).
• wsTrustMessage
  When set to true, the WS-Trust message security endpoints are enabled.
  ~/users/issue.svc/message/username and ~/users/issue.svc/message/certificate (when enabled).
• wsFedMex
  When set to true, the STS publishes WS-Federation metadata.
  ~/FederationMetadata/2007-06/FederationMetadata.xml.
• simpleHttp
  Enables/disables a simple HTTP (REST) endpoint for requesting bearer tokens using a GET request.
  ~/users/httpIssue.svc.
• openIdBridge
  Enables/disables support for the OpenId to WS-Federation bridge.
  ~/openIdBridge.aspx.