The user of the WS consumer authenticates himself or herself with the Security Token Service (STS), for example, with a Kerberos token. The STS exchanges this for a security token (SAML token). The WS consumer can contribute material to the creation of the short-lived symmetric key.

The STS generates a short-lived symmetric key, which it encrypts with the public key of the WS provider. The STS inserts this key, together with the security token, into the SAML assertion, and signs the SAML assertion with a signature key.

The STS issues the SAML assertion as an SAML token and sends it, together with its key material for generating the short-lived symmetric key, to the WS consumer.

The WS consumer generates the short-lived symmetric key from its material and the key material from the STS.

The WS consumer transfers the SAML token, unchanged, into the message header. It encrypts the message texts and signs the message with the generated short-lived symmetric key. It then sends the user's message to the WS provider.

The WS provider checks the STS signature in the SAML token and uses its private key to decrypt the short-lived symmetric key contained in the SAML token. The WS provider verifies the signature of the WS consumer (that is, the Holder-of-Key) with the decrypted short-lived symmetric key. In this way, the STS confirms that the Holder-of-Key is the subject (the user) in the assertion. The WS provider uses the short-lived symmetric key to decrypt the message text.

The WS provider allows the user whose ID is contained in the SAML token to access the resources.