Configuration Guides › Policy Server Configuration Guide › Introducing SOA Security Manager › Authentication Service Models › How the Chain Authentication Service Model Works

How the Chain Authentication Service Model Works

The chain authentication model is appropriate for solutions that require XML messages to flow between multiple web services without further intervention from the requesting web service consumer.

In the chain authentication service model, a single web service is responsible for authenticating all incoming web service requests. This authentication service verifies a web service consumer’s identity, and then adds authentication data in the form of WS‑Security headers or a SAML Session Ticket assertion to the XML message. It then passes the document to downstream web services for processing.

The following illustration shows the flow of data in the chain authentication model.

1. The web service consumer sends a request for access to a protected web Service in the form of an XML document.
2. The SOA Agent receives the request, extracts credentials and passes them to the Policy Server, which authenticates the web service request with an appropriate authentication scheme.
3. After authentication, the request goes through the authorization process. A response attribute associated with the authorizing policy causes the Policy Server to generate a response which it sends to the SOA Agent, instructing it to return authentication data to the authentication web service.
4. The authentication web service sends the XML message and authentication data to the next web service downstream.
5. Downstream web services are configured so that each passes the XML message and authentication data to the next web service in the chain. The requests are allowed access without having to reauthenticate because of the authentication data supplied with the request message.

The most appropriate authentication schemes for initial authentication of requests from the web service consumer by the authentication web service in the chain authentication model are as follows:

• XML Document Collector Authentication Scheme
• XML Digital Signature Authentication Scheme

The authorizing policy for the authentication web service should trigger one of the following responses:

• WS‑Security Responses (appropriate for web services protected by more than one policy store or at multiple sites)
• SAML Session Ticket Responses (appropriate for web services protected by the same policy store)

These responses instruct the SOA Agent to add WS‑Security headers or SAML Session Ticket assertions (as appropriate) to the XML request passed to the next downstream web service in the chain, which should then be protected using the corresponding authentication scheme:

• WS‑Security Authentication Scheme
• SAML Session Ticket Authentication Scheme

Note: SOA Agents can be configured to accept information from a SiteMinder session (SMSESSION) cookie sent in the HTTP header of a request as a means of authenticating a client and always add such cookies to request headers upon successful authentication and authorization. Therefore CA SiteMinder session cookies can therefore be used to implement chain authentication within an all CASiteMinder/SOA Security Manager environment.