Configuration Guides › Policy Server Configuration Guide › Authentication Schemes › SAML Session Ticket Authentication › Benefits of the SAML Session Ticket Authentication Scheme

Benefits of the SAML Session Ticket Authentication Scheme

The SAML Session Ticket authentication scheme allows SOA Security Manager to provide two-factor authentication. This means that authentication can rely on two things:

• Information the web service consumer knows— the password or credentials used to obtain the session ticket.
• Information the web service consumer has—the private key used with the public key bound to the assertion.

  Note: A public key does not have to be bound to the assertion.

The benefits to this type of authentication are as follows:

• For the multistep authentication service model:
  • If a request is a signed document with an assertion, the Policy Server can ensure that the message is from the entity holding the private key that matches the public key in the assertion.
  • After the initial authentication, it is the public key in the assertion that secures the transaction with the subsequent web service. Even if an unauthorized party obtains the assertion, they still cannot breach security because they do not have the client’s private key.
  • Use of digital signatures in authentication service environments eliminates the need for SSL connections to protect data integrity. However, SSL still has value for encryption purposes.
• For the chain web service model, the assertion is bound to the document. This allows any web service using the SAML Session Ticket authentication scheme to identify the original web service consumer making the request, no matter how far down the chain the assertion is passed.