3.2.5.6 Server-to-Server Validation Criteria

The server accepts a server-to-server security token that meets the following criteria:

  • The server-to-server security token is signed with a trusted signing certificate from an STS that the server trusts.

  • The server-to-server security token contains an iss claim whose value shows that the security token is issued by an STS that the server trusts.

  • The server-to-server security token contains a nameid claim with the UPN value of the logged-on user.

  • If the client constructs an unsigned outer security token to contain user information as well as a signed actor token (that is, an inner token), as described in section 4.3 and section 4.4, the value of the iss claim in the outer token matches the value of the nameid claim in the inner token. The server performs a case-sensitive comparison.

  • The server-to-server security token contains an aud claim whose value meets the following criteria:

    • The aud claim value MUST contain three parts: client_id, hostname, and realm.

    • The value of the client_id part is the security principal identifier of a security principal that the server trusts. The server performs a case-sensitive comparison.

    • The value of the hostname part is the host name of the server. The server performs a case-insensitive comparison to verify that it is the target of the request.

    • The value of the realm part is the source realm. The server performs a case-sensitive comparison.

The STS uses the claims in the server-to-server security token to authenticate the caller.

Show: