How is trust established between a web service and STS (SecurityTokenService)?

Question

I am studying brokered authentication, federation etc. On all the blogs, it's mentioned that there is a "trust" between Security Token Service and other web services. However, I could not find a blog which explains how to establish that trust.

Questions:

1. Which thing makes other web services trust the STS? i.e. how do we establish trust between STS and other web services?
2. How do other web services verify that the security token is issued by the STS they trust, and not by some other STS?

I understand that various technologies would be doing it in different manner. It would be good if someone explains how it happens in the .NET world (using WCF, Windows Identity Foundation etc.).

Answer 1

It's done using the X509 Certificate.

SecurityTokenService (STS) "signs the SAML token" using a certificate which is trusted by other services too. So the trust is established using the common thing, i.e. the certificate, which STS, and other services also trust!

While calling other web services, SAML token issued by the STS is sent through the SOAP header. If the SAML token is signed by the certificate your other service trusts, then your service understands that the token is issued by the 'trusted' STS.

In Windows Identity Foundation, you can configure the signing certificate for STS. In case of other web services, the trusted certificate can be configured in the Service Host using ServiceCredential class.