Configuration GuidesPolicy Server Configuration GuideAuthentication SchemesWS‑Security AuthenticationFederation Use Cases › Sender-Vouches Scenario

Previous Topic: Federation Use Cases

Next Topic: Holder-of-Key Scenario
Sender-Vouches Scenario

In this use case, acmewidget.com has a purchasing agreement with widgetsupplies.com, and widgetsupplies.com has a business relationship with widget-ship.com.

The end user logs on to her procurement application with her username and password. The procurement application provides a list of acmewidget.com’s various suppliers. The end user clicks on the PinSupplies button and is presented with a purchase order in an HTML page. She fills out the purchase order and then clicks the Submit button on the HTML form.

The procurement application turns the HTML form into an XML document that it inserts in the envelope body of a SOAP message. The procurement application then inserts the end user’s credentials in the envelope header of the SOAP message, together with acmewidget.com’s customer identity.

  1. SOA Security Manager authenticates the user request for the Purchasing web service at widgetsupplies.com using the document credentials collector (DCC) authentication scheme. The purchase order is processed by widgetsupplies.com.
  2. SOA Security Manager generates a SAML assertion (including the original end user’s security information) and inserts it in the WS‑Security (WSSE) header part of the SOAP message. SOA Security Manager signs the SAML assertion and the body of the SOAP message with widgetsupplies.com’s private key.
  3. The Purchasing web service at widgetsupplies.com posts the SOAP message generated by SOA Security Manager to the Shipping web service at widget-ship.com.
  4. At widget-ship.com, SOA Security Manager authenticates the request using the WS‑Security-SAML sender-vouches authentication scheme. SOA Security Manager checks the signature covering the SAML assertion and the message body and validates that the SAML assertion was issued by a trusted partner (widgetsupplies.com vouches for the user). widgetship.com can now process the shipment order for the original requester at acmewidget.com.

Note: This scenario demonstrates the ability of SOA Security Manager to be at both widgetsupplies.com and widget-ship.com, but either site can have a WS‑Security/SAML-compliant third-party security application if desired.