login      my ps      about      contact  



home instructor-led on-demand! screencasts blogs technical staff


Security Briefs » Issuer vs. STS

Issuer vs. STS

Security Briefs

Pluralsight Blogs

Syndication

Recent Posts

Tags

View more

Keith's books

Misc

Recent Articles

Archives

I admit that in years past I've loosely used the term STS anywhere I was referring to an issuer. The ADFS Fed Server was an "STS", etc., until Vittorio caught me doing that in a talk and slapped some sense into me. An STS is an implementation of WS-Trust, he said. It's not even present in passive scenarios!


It was this comment that got me thinking, why the heck are we using the term "STS" anyway? Wouldn't it be simpler (and more accurate) to refer to a fed server as an "issuer"? I've since changed my approach and I find that people understand fed much easier when we stop using so much jargon. So I talk about issuers now, instead of STS. Because of all the existing literature out there, I still feel the need to explain what an STS is, but I point out that they can think "Issuer" whenever they see the term "STS" in existing literature.


I now think of "STS" as an ugly term that isn't universally applicable (think passive scenarios, think Java issuers that implement the SAML protocols, and not WS-Trust). I'm convinced that the term "Issuer" is more broadly applicable and that we should leave the term "STS" to the realm of protocol implementors (thank you, WIF team!)


Can I convince anyone writing articles to abandon the term STS and use "Issuer" instead?


Can I convince the WIF team to rename the SecurityTokenService class to something like TokenIssuer?


Will you join me in my effort?


Flame away!

Posted Jul 14 2009, 11:10 AM by keith-brown

Comments

Pedro Felix wrote re: Issuer vs. STS
on 07-17-2009 9:43 AM

My ideas regarding these issues are not yet stabilized. However:

1) I use the terms "Claims Provider" or "Claims transformer" when referring to abstract architectural elements.

2) I use the term "STS" when dealing with concrete systems that expose endpoints for the WS-Trust or the WS-Federation (passive requestors) (ch 13, the former "passive profile") protocols. Note that the term "STS" is not exclusive of the "active profile":

   a) The "Web (Passive) Requestors" chapter of WS-Federation uses the term "STS".

   b) The metadata elements for the "passive" endpoints also use the term "STS".

3) I also use "IP-STS" or "PDP-STS" to qualify the type of issued claims (identity claims vs. authorization claims). I really don't like the term "R-STS".

keith-brown wrote re: Issuer vs. STS
on 07-17-2009 9:59 AM

Yep, you're right about STS being mentioned in chap 13 of WS-Fed. I think I may have misunderstood Vittorio's comments, but having switched to using Issuer instead of STS I've found that's it's easier for people to understand.

STS is a protocol implementor's term, and I think it could be used in that context. But I still think of an STS as just one piece of the puzzle - it's technically the endpoint you talk to in order to get a token. But it doesn't address the logic, policy, and administration features of an issuer as a whole. So why do we keep referring to issuers (or claims providers, etc.) as STS?

I really do think we should abandon the term STS to protocol wonks.

Pedro Felix wrote re: Issuer vs. STS
on 07-17-2009 4:43 PM

1) Yes, I agree with you: event when the term STS is applicable (WS-* contexts), it is just one of the several parts that constitutes an "issuer".

2) However, I believe that in order to successfully design, implement, debug and deploy identity and access control systems, a certain degree of protocol "wonkiness" is necessary.

3) What do you prefer? Simply "issuer" or alternatives has "claims provider" or "claims transformer"?

keith-brown wrote re: Issuer vs. STS
on 07-17-2009 6:21 PM

For someone implementing an issuer, I can see how knowing all the details of the specs, jargon, etc. is helpful. And perhaps I'm arguing a small point, but I'm just hoping to make the barrier to entry for folks building claims-aware apps a little lower by not having them worry so much about protocol details.

That's what WIF is for - to abstract them from that stuff. What's important to me from a pedagogical standpoint is that my audience understands the relationship between the user requesting a token, the issuer of that token, and the app that receives it. The fact that they need to trust the issuer, etc.

And there's a great example. What sounds more natural to you, "Trust your issuer" or "Trust your STS"? Funny how the latter sounds like technical jargon that I can ignore. The former almost feels to me like it puts a human face on the issuer, and gets me thinking about trust between businesses, etc. Cause there's a lot more to this story than just the crypto. The technical stuff is the easy part, right?

A lot of this is gut feel, but I've been talking about Issuer now about as long as I have STS, and I feel tons better using Issuer when giving a talk.

So why don't I use "Claims Provider"? Issuer has less syllables. Seriously. It's less to get your head around. It even has less syllables than STS. And certainly less than Security Token Service. As a side benefit, it directly relates to properties on the resulting security context (Claim.Issuer) in the WIF abstraction layer. Which once again makes me wonder, if the client calls it Claim.Issuer, why does WIF make you derive from SecurityTokenService to supply your issuance policy? It's not very symmetric, is it? And I don't think anyone would buy into renaming Claim.Issuer to Claim.STS...

Note that I'm not in any way disparaging my audience with my "less syllables" argument. I just figure why put up more mental hurdles for a topic that is already a little mind bending to many who are new to this space.


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation