We value your privacy

We use cookies to enhance your browsing experience and analyze traffic anonymously for internal statistical purposes. By clicking “Accept all,” you consent to the use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site.... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

  • Cookie
    cookieyes-consent
  • Duration
    1 year
  • Description

    CookieYes sets this cookie to remember users' consent preferences so that their preferences are respected on subsequent visits to this site. It does not collect or store any personal information about site visitors.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

  • Cookie
    language
  • Duration
    1 anno
  • Description

    This cookie is used to store the user's language preference.

  • Cookie
    post_viewed_
  • Duration
    1 ora
  • Description

    This cookie prevents a single visit to an article from being counted multiple times when the page is refreshed.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

  • Cookie
    _ga_*
  • Duration
    1 anno 1 mese 4 giorni
  • Description

    Google Analytics sets this cookie to count visitors to the page

  • Cookie
    _ga
  • Duration
    1 anno 1 mese 4 giorni
  • Description

    Google Analytics sets this cookie to calculate visitor, session, and campaign data and track site usage for site analytic reporting. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Guides

Security Token Service (STS): what it is, how it works and benefits 

Let's find out what the Security Token Service (STS) is, how it works and what advantages it offers compared to other traditional methods

How a Security Token Service works

1 April 2025

Table of contents

  • How a Security Token Service works 
  • Benefits of using a Security Token Service (STS) 
  • Challenges and best practices for managing an STS 
  • Comparison of STS and other authentication systems 

A Security Token Service (STS) is a service that generates, validates, and manages security tokens used for authentication and authorization in digital applications and systems.

This mechanism centralizes credential management, enhancing security and enabling users to access multiple services with a single digital identity. 

Traditional authentication methods relying on usernames and passwords have significant limitations, such as vulnerability to phishing attacks and inefficient credential management.

An STS provides a more secure alternative by issuing temporary tokens, reducing credential theft risks, and improving user experience through Single Sign-On (SSO) and identity federation. 

How a Security Token Service works 

A Security Token Service (STS) acts as a trusted intermediary between a user (or application) and a protected service. It manages authentication and authorization by issuing security tokens that certify the user’s identity and permissions. 

STS Authentication flow 

Authentication Request 
A user or application tries to access a protected resource, such as a corporate app or a cloud API. 

Credential Verification 
The STS authenticates the user using one of the following methods: 

  • Username and password;
  • Digital certificates;
  • Multi-Factor Authentication (MFA);
  • Federated identity provider authentication (e.g., Google, Microsoft, Okta). 

Token issuance
Upon successful authentication, the STS generates a security token that includes: 

  • User identity (e.g., email or unique ID);
  • Access permissions;
  • Token expiration time;
  • Cryptographic signature to ensure integrity.

Access to the resource
The user presents the token to the requested service (e.g., a web app, database, or API). The service verifies the token and grants access if valid. 

Example 1: accessing Microsoft 365 with Azure AD STS 

A corporate user wants to log into Microsoft 365 with their work account: 

  • The user opens Outlook Web App and enters their corporate email; 
  • The browser redirects the user to Azure AD STS, which asks for a password;
  • After authentication, Azure AD STS issues a SAML or OAuth 2.0 token;
  • Outlook verifies the token and grants access without asking for credentials again. 

This enables Single Sign-On (SSO): If the user later accesses Teams or SharePoint, they won’t need to log in again. 

Example 2: temporary API access with AWS STS 

An AWS Lambda application needs to access an Amazon DynamoDB database, but without using static credentials: 

  • The app requests a temporary token from AWS Security Token Service (STS);
  • AWS STS verifies the application’s identity and generates temporary credentials with restricted permissions;
  • The app uses the token to query the DynamoDB database;
  • DynamoDB verifies the token with AWS STS and grants access. 

This method reduces the risk of credential exposure, enhancing security. 

Key takeaways 

  • A Security Token Service (STS) authenticates users and issues security tokens for secure access to digital resources;
  • Tokens contain encrypted information about the user’s identity and permissions;
  • STS solutions like Azure AD, AWS STS, and Okta support industry standards such as OAuth 2.0, SAML, and OpenID Connect;
  • Implementing an STS enhances security, compliance, and user experience by enabling federated authentication and Single Sign-On (SSO)

Supported authentication protocols 

A Security Token Service supports widely used authentication protocols to ensure interoperability between different systems: 

  • OAuth 2.0
    Used for authentication and API access without exposing user credentials. 
  • SAML (Security Assertion Markup Language)
    Common in enterprises for federated authentication and Single Sign-On (SSO). 
  • OpenID Connect (OIDC)
    Built on OAuth 2.0, allowing authentication through external identity providers like Google or Microsoft. 

Benefits of using a Security Token Service (STS) 

A Security Token Service (STS) enhances security, authentication, and access management across cloud and on-premise environments. STS improves credential protection, simplifies authentication, and enables better auditing. 

Enhanced credential security 

  • How it works
    STS-generated tokens have a limited lifespan and can be revoked, reducing the risk of unauthorized access. Unlike static passwords, tokens are temporary and encrypted. 

Example: secure access with AWS STS

  • An AWS administrator uses AWS Security Token Service (STS) to grant temporary credentials to users. 
  • If a token is compromised, it automatically expires in 15 minutes (or a configured duration). 
  • Unlike a static password, an attacker cannot reuse the token after expiration

Federated access and Single Sign-On (SSO) 

  • How it works
    With Single Sign-On (SSO), users authenticate once and gain access to multiple services without re-entering credentials. This reduces password fatigue and improves user experience

Example: logging into Microsoft 365 with Azure AD STS 

  • A corporate user logs into Azure Active Directory (AD) with their credentials. 
  • Azure AD STS issues a SAML token, allowing automatic access to Teams, Outlook, SharePoint, and Microsoft 365 apps
  • The user does not need to re-enter their password, improving productivity and security

Easy integration with Cloud and hybrid environments 

  • How it works 
    Many STS providers support on-premises and Cloud environments, allowing seamless integration between legacy enterprise applications and cloud services such as AWS, Azure, and Google Cloud

Example: integrating an on-premise CRM with Google Cloud 

  • A company runs an on-premise CRM and wants to integrate it with Google Workspace
  • With Google Cloud Identity-Aware Proxy (IAP), users authenticate using their corporate credentials and receive an OAuth 2.0 token for both the CRM and Google services. 
  • This eliminates the need for separate accounts, simplifying security management. 

Reduced phishing risk 

  • How it works
    Authentication tokens eliminate the need to continuously enter credentials, reducing the effectiveness of phishing attempts. Without a fixed password, an attacker cannot steal user credentials.

Example: secure API access with Okta STS 

  • A mobile app authenticates users via Okta STS
  • After login, Okta generates a JWT (JSON Web Token) used to access APIs. 
  • Even if an attacker intercepts the API request, the short-lived token prevents unauthorized reuse. 

Better control and auditing 

  • How it works
    STS allows organizations to track and log authentication events, ensuring compliance with GDPR, ISO 27001, and SOC 2 security regulations

Example: token auditing with Active Directory Federation Services (ADFS) 

  • A company uses ADFS to manage employee authentication. 
  • The security team monitors all issued tokens, tracks access attempts, and detects suspicious activity. 
  • If an employee logs in from an unauthorized country, the company can block the token and trigger a security alert

Modern cloud platforms offer STS to provide secure authentication and identity management. Let’s look at the most widely used solutions, with practical examples and code.

Microsoft Active Directory Federation Services (ADFS) 

  • Overview 
    ADFS (Active Directory Federation Services) enables federated authentication between different systems using SAML 2.0 and OAuth 2.0. It is widely used in enterprises for securing access to Microsoft 365, internal applications, and cloud services

Example: implementing ADFS for Single Sign-On (SSO) with SAML 

A company wants to configure ADFS so that employees authenticate once and gain access to multiple corporate applications. 

Configuring a Relying Party Trust in ADFS:

  • Open the ADFS Management console;
  • Add a new Relying Party Trust;
  • Configure the identity provider and SAML certificate;
  • Define authentication rules.

Example of a SAML authentication request sent to ADFS 

xml 

<samlp:AuthnRequest  

    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 

    ID="_123456" 

    Version="2.0" 

    IssueInstant="2024-03-10T12:00:00Z" 

    Destination="https://adfs.example.com/adfs/ls/" 

    AssertionConsumerServiceURL="https://app.example.com/sso/consume"> 

    <saml:Issuer>https://app.example.com</saml:Issuer> 

</samlp:AuthnRequest>

Answer of SAML Response from ADFS 

xml 

<samlp:Response  

    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 

    ID="_response123" 

    InResponseTo="_123456" 

    Version="2.0"> 

    <saml:Assertion> 

        <saml:Subject> 

            <saml:NameID>user@example.com</saml:NameID> 

        </saml:Subject> 

        <saml:AttributeStatement> 

            <saml:Attribute Name="Role"> 

                <saml:AttributeValue>Admin</saml:AttributeValue> 

            </saml:Attribute> 

        </saml:AttributeStatement> 

    </saml:Assertion> 

</samlp:Response>
Secure authentication management in cloud and on-premise environments

AWS Security Token Service (AWS STS) 

  • Overview
    AWS STS allows you to generate temporary credentials for securely accessing AWS resources. This is useful for implementing restricted access to AWS resources without exposing static credentials. 

Example: generating temporary credentials for an AWS Lambda application 

An AWS Lambda function needs to access S3 without using hardcoded credentials. 

Python code to get a temporary token from AWS STS:

python 

import boto3 

# Create the STS client 

sts_client = boto3.client('sts') 

# Request temporary credentials 

response = sts_client.assume_role( 

    RoleArn="arn:aws:iam::123456789012:role/MyRole", 

    RoleSessionName="MySession" 

) 

# Extract credentials 

credentials = response['Credentials'] 

print("Access Key:", credentials['AccessKeyId']) 

print("Secret Key:", credentials['SecretAccessKey']) 

print("Session Token:", credentials['SessionToken'])

The token expires after one hour, improving security over static credentials. 

Azure Active Directory STS 

  • Overview 
    Azure AD STS provides authentication for cloud and on-premise applications, supporting OAuth 2.0 and OpenID Connect. It is commonly used for Microsoft 365 and Azure services

Example: authenticating with OAuth 2.0 on Azure AD 

An application must authenticate with Azure AD and obtain an access token to call Microsoft Graph API

Requesting an access token using curl:

bash 

curl -X POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token \ 

    -H "Content-Type: application/x-www-form-urlencoded" \ 

    -d "client_id={client_id}" \ 

    -d "client_secret={client_secret}" \ 

    -d "scope=https://graph.microsoft.com/.default" \ 

    -d "grant_type=client_credentials"

Response with JWT token;

json 

{ 

  "access_token": "eyJhbGciOiJIUzI1NiIs...", 

  "expires_in": 3600, 

  "token_type": "Bearer" 

}

The app can now use this token to access Microsoft Graph API. 

Okta STS 

  • Overview 
    Okta STS is a cloud-based identity management service that supports OAuth 2.0 and OpenID Connect. It integrates with enterprise applications and SaaS platforms

Example: logging in with OpenID Connect in a web application 

A web application uses Okta to authenticate users with OAuth 2.0

Configuring the OpenID Connect authentication request:

html 

<a href="https://your-okta-domain.com/oauth2/default/v1/authorize? 

    client_id=your_client_id& 

    response_type=code& 

    scope=openid profile email& 

    redirect_uri=https://yourapp.com/callback"> 

    Login with Okta 

</a>

The user is redirected to Okta, authenticated, and receives a JWT token. 

Google Cloud Identity-Aware Proxy (IAP) 

  • Overview
    Google Cloud IAP secures access to applications hosted on Google Cloud Platform (GCP) and verifies user identity with OAuth 2.0

Example: verifying an IAP access token in a Node.js application 

javascript 

const {OAuth2Client} = require('google-auth-library'); 

const client = new OAuth2Client(); 

async function verifyToken(token) { 

    const ticket = await client.verifyIdToken({ 

        idToken: token, 

        audience: "your-client-id.apps.googleusercontent.com" 

    }); 

    const payload = ticket.getPayload(); 

    console.log("User email:", payload.email);

}

The app ensures only authenticated users with valid tokens can access resources. 

Challenges and best practices for managing an STS 

  • Scalability and session management 
    An STS must be designed to handle high authentication request volumes without affecting performance. 
  • Secure token configuration 
    Using strong signing keys and defining short expiration times for tokens prevents security abuses. 
  • Continuous monitoring and auditing 
    Implementing logging and analytics helps detect suspicious behavior and potential security breaches. 
  • Keeping security standards up to date 
    It’s essential to adopt the latest versions of OAuth, SAML, and OpenID Connect to avoid vulnerabilities. 

Comparison of STS and other authentication systems 

Feature Security Token Service (STS) Identity Provider (IdP) API Gateway 
Main Purpose Issuing and managing authentication tokens Identity management and authentication API security and request handling 
Supported Protocols OAuth, SAML, OpenID Connect SAML, LDAP, OAuth OAuth, JWT 
Primary Use Case Federated access and SSO Centralized user authentication API security and request routing 

To conclude

A Security Token Service (STS) plays a crucial role in managing secure authentication and authorization for cloud and on-premises environments.

By leveraging standard authentication protocols and integrating with identity providers, an STS enables centralized access management while enhancing security and user experience. 

Questions and answers

  1. What is a Security Token Service (STS), and what does it do? 
    It is a service that issues authentication tokens, allowing secure access to digital resources. 
  1. Which authentication protocols does an STS support? 
    OAuth 2.0, SAML, and OpenID Connect are the most common. 
  1. What are the benefits of using an STS over passwords? 
    It reduces credential theft risks and enables Single Sign-On (SSO). 
  1. How does authentication with an STS work? 
    The STS verifies credentials and generates a token that is used to access the requested services. 
  1. Can an STS be used for Multi-Factor Authentication (MFA)? 
    Yes, many STS solutions support integration with MFA systems. 
  1. Which companies provide STS solutions? 
    Microsoft, AWS, Google, Okta, and other tech companies. 
  1. How can an STS be protected against cyberattacks? 
    By implementing strong encryption, logging, and access monitoring. 
  1. What is the difference between an STS and an Identity Provider (IdP)? 
    An STS issues tokens, while an IdP manages user identities. 
  1. Can an STS be used in on-premises environments? 
    Yes, it can integrate with both local and cloud-based systems. 
  1. What are the best practices for configuring and managing an STS? 
    Secure token expiration, implement logging, and use Multi-Factor Authentication (MFA). 
7
To top