There are two kinds of STS: an Identity Provider STS (IP-STS) and a Relying Party STS(RP-STS).

  • An IP-STS authenticates a client using, for example, Windows integrated authentication. It creates a SAML token based on the claims provided by the client, and might add its own claims. A Relying Party application (RP) receives the SAML token and uses the claims inside to decide whether to grant the client access to the requested resource.

  • An RP-STS does not authenticate the client, but relies on a SAML token provided by an IP-STS that is trusts. Typically, an IP-STS is found in the client’s domain, whereas an RP-STS is found in the RP’s domain. This is shown the following diagram.