With this scenario, the WS consumer generates a (nonpersistent) public and private key pair at runtime. The private key of this key pair is used as an endorsing signature for messages between the WS consumer and the WS provider. With this endorsing signature, the WS consumer proves that it is in possession of the private key of the public and private key pair of which the STS signed the public key. The STS only issues this public key if the user's authentication with the STS was successful. With this form of Single Sign-On, the STS performs the user's logon to the WS provider.
The private key of the public and private key pair is not used to encrypt messages between the WS consumer and the WS provider.
The figure shows the steps that take place with this scenario:
The WS consumer generates a new, nonpersistent public and private key pair.
The WS consumer user authenticates himself or herself with the Security Token Service (STS), for example, with a Kerberos token. The STS exchanges this for a security token. The WS consumer sends the public key to the STS.
The STS encrypts the public key of the public and private key pair that the WS consumer generated. The STS issues the SAML assertion and inserts the encrypted public key and the STS identity of the user. The STS signs the SAML assertion with its private key.
The WS consumer inserts the SAML token, unchanged, into the message header. It signs the message with the private key from the public and private key pair (endorsing signature). It then sends the message to the WS provider.
Since the WS consumer only signs the message and does not encrypt it, the communication route between the WS consumer and the WS provider must be secured using other methods, such as using the Secure Sockets Layer protocol (SSL protocol), or with a symmetric trust relationship based on the exchange of X.509 certificates.
The WS provider uses its private key to decrypt the SAML token and checks the STS signature in the SAML token against the public key of the STS.
To determine whether the WS consumer was actually the sender of the message, the WS provider checks the endorsing signature against the public key that it unpacked from the SAML token. If the signature is correct, the WS consumer is the Holder-of-Key, that is, it possesses the private key of the public and private key pair. The WS consumer therefore acually sent the message. This also proves the integrity of the message.
The WS provider allows the user whose ID is contained in the SAML token to access the resources.