How SAML Token Multistep Authentication, Sender-Vouches Works

Configuration Guides › Policy Server Configuration Guide › Authentication Schemes › WS‑Security Authentication › Choose a WS‑Security Token Type › SAML Assertion Token › How SAML Token Multistep Authentication, Sender-Vouches Works

This model does not require the assertion subject’s public and private keys bound to the SOAP document. The web service consumer’s public key is not supplied (by the web service consumer or the Policy Server) with a request. Upon validation of the request, the authentication service vouches for the web service consumer by generating a SAML token and binding it to the message body by signing them both with its private key using the sender-vouches subject confirmation method.

Obtaining the SAML Token—When a web service consumer makes a request for a web service, the web service consumer must get the SAML token from the authentication service, which is protected by the SOA Agent. The SAML token can be obtained using any method of authentication.
After the web service consumer is authenticated, the web service consumer goes through the authorization process. If the web service consumer is successfully authorized, the SOA Agent responds generating a WS‑Security SAML token signed using the token issuer’s private key.
Using the SAML Token—The signed SOAP document (SAML token and request message body) is passed by the authentication service to the web service consumer for use in subsequent web service requests. Because requests take the form of a SOAP document in which the SAML token is bound to the message payload using the signature of the trusted token issuer, they can be accepted by other web services with a high degree of confidence that it came from a trusted source.
Note: The sender-vouches SAML token is valid bound only to the original request message—it cannot be reused with other requests.

In this model, the web service consumer does not sign each XML document request, assuming the destination URL does not require a signed document.

More information:

Supported Authentication Schemes for Producing Each WS-Security Header Type

Email CA Technologies about this topic