Configuration Guides › Policy Server Configuration Guide › Authentication Schemes › WS‑Security Authentication › Choose a WS‑Security Token Type › SAML Assertion Token › How Chain Authentication Service Model, Sender-Vouches with Signature-Based Issuer Validation Works

How Chain Authentication Service Model, Sender-Vouches with Signature-Based Issuer Validation Works

This service model does not require the SAML assertion subject’s public and private keys bound to the request. A SAML token that uses the sender-vouches subject confirmation method is generated and used to authenticate the web service consumer by downstream web services; the token issuer’s identity is validated against its private key, which is bound to the token and the SOAP request.

• Obtaining the SAML Token—When a web service consumer makes a request for a web service, the web service consumer must get the SAML token from the authentication service, which is protected by the SOA Agent. The SAML token can be obtained using any method of authentication.

  After the web service consumer is authenticated, the web service consumer goes through the authorization process. If the web service consumer is successfully authorized, the SOA Agent responds by adding a WS‑Security SAML token signed using the token issuer’s private key to the SOAP request. The SOA Agent then also signs the request using the token issuer’s private key.

• Using the SAML Token—After the signed SOAP request containing the SAML token is generated, the authentication service passes the document to the next web service in the chain. When the downstream web service receives the document, the WS‑Security authentication scheme verifies the token issuer by its signature and validates the originator of the document based on the SAML token contents. The application receiving this document may now process it and send it along to other web services protected by the WS‑Security authentication scheme.

More information:

Supported Authentication Schemes for Producing Each WS-Security Header Type