Header Image

Security Token Service

Security Token Service for API Identity Translation & Federation


All Layer 7 API Gateways ship with a Security Token Service (STS) engine inside. The Layer 7 Security Token Service is capable of performing:

  • General token mappings
  • Generation of custom attribute-based SAML tokens 
  • A variety of OAuth token operations, via the OAuth Toolkit 

The Layer 7 STS supports both the WS-Trust and WS-Federation specifications, including SAML 1.1 and 2.0. It includes deep certificate integration to support holder-of-key, bearer token and sender-vouches methods of subject confirmation for identity propagation. The Web Browser SSO Profile (including Browser-Artifact and Browser POST) is supported in either an identity provider or a service provider role. Web service-style token profiles are also supported. 

The STS can be implemented inline or as an endpoint security service. Additionally, it can be  deployed as an adjunct to commercial identity and access management (IAM) products from leading vendors such as Oracle, Sun, Novell, Tivoli, CA and RSA.

Beyond the specific interactions provided by the WS-Trust specification, Layer 7’s STS provides comprehensive identity federation across a wide array of security tokens and message formats. A security token can be:

  • Authenticated 
  • Used for fine-grained authorization based on resource, request content or transaction context
  • Mapped to a new identity token and applied to a request message that is then propagated to a service endpoint

Supported authorization styles include:

  • OAuth 1.0a, WRAP and 2.0
  • Integration with external or internal XACML decision engines (including XACML 3.0)
  • Policy-based decisions using user groups, roles or attributes

White Paper: Federated Identity & Single Sign-On Using Layer 7


Federate identity for SaaS, Web services, APIs, mobile applications and the Cloud

This white paper provides a detailed overview of how Layer 7’s API Gateways empower enterprises to address the challenges of dealing with identity silos, via identity federation and SSO.


Read the White Paper 


Scale & Performance


Delivers token mapping and translation at wire speed via dedicated acceleration


Deployment Flexibility


Allows for implementation inline or as an end-point service


Low Latency


Combines caching with token translation to minimize delays in token processing


SaaS Readiness


Includes out-of-the-box SSO capabilities for popular SaaS applications such as Salesforce


IAM Integration


Supports leading SSO products from Sun, Oracle, CA, Tivoli, RSA and Novell


SOAP, REST & JSON Security


Includes comprehensive, policy-based message- and API-level security

 The Layer 7 Security Token Service supports:

  • WS-Trust
  • WS-Federation

The Layer 7 STS also supports integration with a wealth of identity, access, SSO and federation systems, including:

  • Microsoft Active Directory/Federated Services
  • Novell Access Manager
  • IBM Tivoli TFIM
  • Oracle Access Manager
  • RSA Access Manager
  • IBM Tivoli TAM 
  • CA SiteMinder
  • Sun Java System Access Manager

The STS additionally supports a range of authentication protocols, including:

  • SAML tokens
  • OAuth
  • Security Context Tokens
  • Kerberos
  • Digital signatures
  • X.509 certificates
  • LDAP
  • HTTP Basic
  • SSL Client Authentication