Some web services use security tokens to ensure that users are authorized to access resources provided by the web services. To obtain a security token, a user provides a credential to a security token service (STS). The STS attempts to authenticate an identity of the user based on the credential. If the STS successfully authenticates the identity of the user, the STS gathers claims from one or more claim providers. The claims can comprise various types of data. For example, the claims can comprise assertions about the identity of the user.
After gathering the claims from the claim providers, the STS generates a security token and provides the security token to the user. The security token comprises at least some of the claims provided by the claim providers. The STS digitally signs the security token to make it possible to determine whether the security token has been altered. The STS can also encrypt the security token for additional security.
After receiving the security token, the user provides the security token to the web service. When the web service receives the security token, the web service uses the claims in the security token to determine whether or not the user is authorized to access a resource provided by the web service.