3.2.5.3 Authentication with Third-Party Application
The following procedure shows the authentication that takes place when a client makes a call to a third-party application in the same organization using these extensions.
The organization's IT administrator sets up an STS and configures it with the security principal identifiers for the client and third-party application. The client and third-party application each exchange public keys, carried in X.509 certificates, with the STS. The administrator also configures the client and third-party application to trust security tokens issued by the STS.
The client makes an anonymous request to the third-party application.
The third-party application responds with an HTTP 401 challenge, as specified in [RFC2616] and [RFC2617].
The client requests a security token from the STS. It does this by sending a self-issued security token that is signed with its private key. The security token contains the aud, iss, nameid, nbf, and exp claims, as specified in section 2.2.
The STS validates the public key of the security token provided by the client, verifies that the client is authorized to access the requested resource, and returns a server-to-server security token that is signed with a public key that the third-party application trusts. The security token contains the aud, iss, nameid, nbf, exp, and appctx claims, as specified in section 2.2. The appctx claim contains information that is implementation-specific to the third-party application. For an example of a server-to-server security token that is used to access a third-party application, see section 4.5.
The client sends the server-to-server security token to the third-party application.
The third-party application validates the server-to-server security token by checking the values of the aud, iss, and exp claims and the public key provided by the STS. It performs additional validation checks to ensure that the client is authorized to access the requested resource. It then responds to the client with the requested resource.