Configuration Guides › Policy Server Configuration Guide › Introducing SOA Security Manager › Authentication Service Models › How the Multistep Authentication Model Works

How the Multistep Authentication Model Works

The multistep authentication model is like the CA SiteMinder cookie-based single sign-on implementation, in which WS‑Security headers or SAML Session Ticket assertions take the place of the cookie.

In the multistep authentication model, a single web service is responsible for authenticating all incoming web service requests. This authentication service verifies a web service consumer’s identity and returns an XML message with authentication data in the form of WS‑Security headers or a SAML Session Ticket assertion. The web service consumer can then use this to add to subsequent requests to facilitate authentication by other associated web services.

The process that the web service consumer goes through when making a request has two phases:

1. Obtaining the authentication data
2. Using the authentication data to access other web services

The following illustration shows how request are processed in the multistep authentication service model:

1. The web service consumer sends a request for access to a protected web Service in the form of an XML document.
2. The SOA Agent receives the request, extracts credentials and passes them to the Policy Server, which authenticates the web service request with an appropriate authentication scheme.

   After authentication, the request goes through the authorization process. A response attribute associated with the authorizing policy causes the Policy Server to generate a response which it sends to the SOA Agent, instructing it to return authentication data to the web service.

3. The web service returns the authentication data back to the web service consumer (typically in an XML document, but synchronized sessioning SAML assertions can also be returned in HTTP headers or a cookie).
4. For subsequent requests, the web service consumer passes XML messages that include the authentication data it received from the authentication service to other associated web services.
5. The requests are allowed access without having to reauthenticate because the authentication data is supplied with the request message (in effect, providing single sign-on).

Appropriate authentication schemes for initial authentication by the authentication web service in the multistep authentication model are as follows:

• XML Document Collector Authentication Scheme
• XML Digital Signature Authentication Scheme

The authorizing policy for the authentication web service should trigger one of the following response types:

• WS‑Security Responses (appropriate for web services protected by more than one policy store or at multiple sites)
• SAML Session Ticket Responses (appropriate for web services protected by the same policy store)

These responses instruct the SOA Agent to pass authentication data in the form of WS‑Security headers or SAML Session Ticket assertions (as appropriate) back to the web service consumer for use in requests to associated web services. The associated web services should be protected using the corresponding authentication scheme:

• WS‑Security Authentication Scheme
• SAML Session Ticket Authentication Scheme

Note: SOA Agents can be configured to accept information from a CA SiteMinder session (SMSESSION) cookie in the HTTP header of a request as a means of authenticating a client and always add such cookies to request headers upon successful authentication and authorization. CA SiteMinder session cookies can therefore be used to implement multistep authentication within an all CA SiteMinder/SOA Security Manager environment.