Configuration Guides › Policy Configuration Guide › Authentication Schemes › WS‑Security Authentication › How the Multistep Authentication Service Model Works Using WS‑Security

How the Multistep Authentication Service Model Works Using WS‑Security

The multistep authentication service model is an environment in which one authentication service is responsible for authenticating all web service consumer requests. When the authentication service verifies a requester's identity, it returns WS‑Security headers that the web service consumer can use for highly secure authentication of subsequent requests.

The process that the web service consumer goes through when making a request has two phases:

• Obtaining the WS‑Security headers
• Using the WS‑Security headers to access other web services

The following illustration shows the multistep authentication service model using WS‑Security headers.

1. The web service consumer sends a request in the form of a SOAP document.
2. The SOA Agent receives the request and passes it to the Policy Server, which authenticates the web service consumer using a supported authentication scheme.

   The XML request goes through the authorization process after authentication. If the web service consumer is authorized, a WS‑Security response attribute associated with the authorizing policy causes the Policy Server to generate a response and send it to the SOA Agent.

3. The Agent uses the response to generate and adds WS‑Security headers to the request's SOAP headers. The SOA Agent then passes the SOAP request to the web service, which returns it to the web service consumer.

   Note: The WS‑Security token is included in the SOAP message forwarded to the next web service in the chain, not the response data returned from the Policy Server. That data is returned only to the SOA Agent, which includes it in WS‑Security headers.

4. For subsequent requests, the web service consumer passes the original or a new SOAP document that includes the WS‑Security token to another web Service (within the Policy Server domain or at a federated enterprise) protected with the WS‑Security authentication scheme.
5. The request is authenticated based on the WS‑Security token and granted access to the web service.