Authorization Services(AS) provide access to identity providers which can validate the credentials provided by Clients. They then provide tokens which can be passed to a Serverinstead of the credentials. These tokens are passed as an IssuedIdentityTokendefined in 7.41.6.
Serverspublish the Authorization Services(AS) they support in the UserTokenPolicieslist return with GetEndpoints. The IssuedTokenTypefield specifies the protocol used to communicate with the AS. The IssuerEndpointUrlfield contains the information needed by the Clientto connect to the AS using the protocol required by the AS.
The basic handshake is shown in Figure 24.