Configuration Guides › Policy Server Configuration Guide › Authentication Schemes › WS‑Security Authentication › Federation Use Cases › Holder-of-Key Scenario

Holder-of-Key Scenario

Tokenprovider.com is an identity provider, that is, tokenprovider.com generates security tokens to be used to access resources hosted by remote service providers. In this scenario, the end user is an employee of acmewidget.com, but the end user could also be an employee of tokenprovider.com.

WSprovider.com is a remote service provider that accepts credentials produced by tokenprovider.com.

tokenprovider.com and WSprovider.com have a business agreement. In this scenario, tokenprovider.com and WSprovider.com are two separate companies (different Internet domains), but they also could be two departments of the same company.

1. The end user’s application signs the request for authentication using the user’s private key and posts it to the Authentication web service at tokenprovider.com.
2. SOA Security Manager authenticates the user request using the XML Signature (XML DSIG) authentication scheme. SOA Security Manager generates the SAML assertion, inserts the user’s certificate into the SAML assertion, and signs the assertion with tokenprovider.com’s private key.
3. The Authentication web service at tokenprovider.com returns the signed SAML assertion just created (in a raw XML document or in a SOAP/WS‑Security response).
4. The user’s application at acmewidget.com inserts the SAML assertion in a WS‑Security header as part of a SOAP request and posts the request to WSprovider.com’s web service.
5. At WSprovider.com, SOA Security Manager authenticates the request using the WS‑Security SAML holder-of-key authentication scheme. SOA Security Manager checks the SAML assertion signature and the user’s signature on the message body, validates that the SAML assertion was issued by a trusted partner (in this case tokenprovider.com), and validates that the user is in the user store.

Note: This scenario demonstrates how SOA Security Manager can be at both tokenprovider.com and WSprovider.com, but either site can have a third party security application provided that application is compliant with the standards involved (XML signature, WS‑Security, and SAML).

SiteMinder Authentication Schemes

The following SiteMinder authentication schemes are shown in the Administrative UI in addition to the SOA Security Manager schemes:

• Anonymous
• Basic
• Basic over SSL
• Custom
• HTML Forms
• Impersonation
• MS Passport
• RADIUS CHAP/PAP
• RADIUS Server
• SafeWord
• SafeWord and HTML Forms
• SecurID
• SecurID and HTML Forms
• X.509 Client Certificate
• X.509 Client Certificate and Basic
• X.509 Client Certificate or Basic
• X.509 Client Certificate and HTML Forms
• X.509 Client Certificate or HTML Forms
• Windows Authentication

If you would like to use these schemes to protect web applications as well as web services, contact your CA account representative to obtain a license.

Note: More information about these authentication schemes exists in the SiteMinder Policy Server Configuration Guide.