The following diagram shows the sequence of events in which an STS issues a security token.
- The STS receives a request for a security token (RST), which it
validates in ValidateRequest.
- The STS calls GetScope. This method takes the caller’s
IClaimsPrincipal and the incoming RST
and returns the configuration for the token issuance request, which
is represented by the Scope class. This is one of the methods you
must implement to create your own STS. In this method, you can
normalize the relying party’s address and choose signing and
encryption keys. Typically, security tokens are encrypted so that
only the relying party can read them. For more information, see
Building an
STS.
- The STS passes the Scope instance to
CreateSecurityTokenDescriptor to create an instance of
SecurityTokenDescriptor.
- The STS calls GetSecurityTokenHandler and gets a
SecurityTokenHandler based on the token
type and the SecurityTokenServiceConfiguration. For
more information see Token Handler
Configuration.
- The STS calls GetIssuerName to get the name of the token
issuer.
- The STS calls GetTokenLifetime to get the lifetime of
the token, passing in a requested lifetime. It typically requests a
lifetime based on the lifetime specified in the RST.
- The STS calls GetProofToken, passing in the RST and the
Scope instance obtained earlier.
- The STS calls GetOutputClaimsIdentity. This method takes
the caller’s IClaimsPrincipal, the incoming RST, and the
Scope object returned from
GetScope, and returns the IClaimsIdentity to be included in the issued
token. This is one of the methods you must implement to create your
own STS. This lets you decide which claims are included in the
token. For more information, see Building an STS.
- The STS calls GetDisplayToken, passing in the requested
language and the IClaimsIdentity obtained from
GetOutputClaimsIdentity.
- The STS calls GetResponse, in which it creates the
Response to Security Token Request (RSTR) based on the SecurityTokenDescriptor created earlier.