3.2.5.1 Authentication Within a Single Organization

The following procedure shows the authentication that takes place when a client makes a call to a server in the same organization using these extensions.

  1. The organization's IT administrator sets up an STS and configures it with the security principal identifiers for the client and server. The client and server each exchange public keys, carried in X.509 certificates, with the STS. The administrator also configures the client and server to trust security tokens issued by the STS.

  2. The client makes an anonymous request to the server.

  3. The server responds with an HTTP 401 challenge. HTTP 401 is specified in [RFC2616] and [RFC2617].

  4. The client requests a security token from the STS. It does this by sending a self-issued security token that is signed with its private key. The security token contains the aud, iss, nameid, nbf, exp, and trustedfordelegation claims as specified in section 2.2. The client request also includes a resource parameter and a realm parameter, as specified in [MS-OAUTH2EX]. The value of the resource parameter is the Uniform Resource Identifier (URI) of the server. For an example of a self-issued security token, see section 4.2.

  5. The STS validates the public key of the security token provided by the client, verifies that the client is authorized to access the requested resource, and responds to the client with a server-to-server security token that is signed with a public key that the server trusts. The security token contains the aud, iss, nameid, nbf, exp, and identityprovider claims, as specified in section 2.2. For an example of a server-to-server security token issued by an STS, see section 4.1.

  6. The client sends the server-to-server security token to the server.

  7. The server validates the server-to-server security token by checking the values of the aud, iss, and exp claims and the public key provided by the STS. It performs additional validation checks to ensure that the client is authorized to access the requested resource. It then responds to the client with the requested resource.

Show: