Security token service (STS) is a cross-platform open standard core component of the OASIS group's WS-Trust web services single sign-on infrastructure framework specification.cf.
[citation needed] Together with the rest of the WS-Trust standard, the security token service specification was initially developed by employees of IBM, Microsoft, Nortel and VeriSign.
In a typical usage scenario involving a web service that employs WS-Trust, when a client requests access to an application, the application does not authenticate the client directly (for instance, by validating the client's login credentials against an internal database).
This process is illustrated in the Security Assertion Markup Language (SAML) use case, demonstrating how single sign-on can be used to access web services.
Software that provides security token services is available from numerous vendors, including the open-source Apache CXF, as well as closed-source solutions from Oracle (for interfacing with authentication services backed by an Oracle Database) and Microsoft (where STS is a core component of Windows Identity Foundation and Active Directory Federation Services).