How SAML Token Multistep Authentication, Holder-of-Key Works

Configuration Guides › Policy Server Configuration Guide › Authentication Schemes › WS‑Security Authentication › Choose a WS‑Security Token Type › SAML Assertion Token › How SAML Token Multistep Authentication, Holder-of-Key Works

In this highly secure model, the web service consumer must sign each XML document request using a private key associated with the public key that was provided during authentication.

Obtaining the SAML Token—When a web service consumer makes a request for a web service, the web service consumer must obtain the SAML token from the authentication service, which is protected by the SOA Agent. The SAML token can be obtained using any supported authentication scheme. Also, the initial request must provide a public key to the SOA Agent. The key can be provided in an XML document, using the XML-DSIG authentication scheme or provided by the Policy Server from the user store.
After the web service consumer is authenticated, the web service consumer goes through the authorization process. If the web service consumer is successfully authorized, the SOA Agent generates a SAML token containing the client’s public key and signs it with its own public key/certificate.
Using the SAML Token—The token is passed by the authentication service back to the web service consumer in a SOAP document. When making subsequent web service requests, the web service consumer places the token in the SOAP request and signs the entire document using its private key. Because the requesting SOAP document is signed by the token subject and the token is signed by the issuer, the request can be authenticated by other web services configured to use the WS‑Security authentication scheme with a high degree of confidence that it came from a trusted source.

More information:

Supported Authentication Schemes for Producing Each WS-Security Header Type

Email CA Technologies about this topic