Configuration Guides › Policy Server Configuration Guide › Authentication Schemes › WS‑Security Authentication › Choose a WS‑Security Token Type › SAML Assertion Token › How Chain Authentication Service Model, Sender-Vouches with SSL-based Issuer Confirmation Works
How Chain Authentication Service Model, Sender-Vouches with SSL-based Issuer Confirmation Works
This model does not require the assertion subject’s public and private keys bound to the request. A SAML token that uses the sender-vouches subject confirmation method is generated and used to authenticate the web service consumer by downstream web services. The token issuer is implicitly authenticated by being encrypted and decrypted over SSL using SSL encryption keys derived from the issuer’s client and server certificates used to set up the SSL link.
- Obtaining the SAML Token—When a web service consumer makes a request for a web service, the web service consumer must get the SAML token from the authentication service, which is protected by the SOA Agent. The SAML token can be obtained using any supported authentication scheme.
After the web service consumer is authenticated, the web service consumer goes through the authorization process. If the web service consumer is successfully authorized, the SOA Agent responds by adding a WS‑Security SAML token to the SOAP request.
- Using the SAML Token—After the signed SOAP request containing the SAML token is generated, the authentication service establishes an SSL connection to the next web service in the chain and uses that secure connection to pass the request. When the downstream web service receives the document, the WS‑Security authentication scheme validates the originator of the document based on the SAML token contents. Optionally, the token issuer’s public key/certificate can be obtained from the SSL key store on the web server and used to validate the issuer identity. The web service receiving this document may now process it and send it along to other web services over further SSL connections.
More information:
Supported Authentication Schemes for Producing Each WS-Security Header Type
