Previous Topic: CA SiteMinder® Web Services Security OverviewNext Topic: How to Develop and Deploy CA SiteMinder® Web Services Security Protected Web Services


Authentication Service Models

The ability of CA SiteMinder® Web Services Security to obtain security information from XML documents without user interaction and produce WS-Security headers, SAML Session Ticket assertions, and SiteMinder session cookies lets you securely deploy web services using a number of service models.

Single-step Authentication Service Model

All requests are authenticated and handled by a single web service.

Multistep Authentication Service Model

All requests are sent to a web service responsible for authentication, which then returns the message and authentication data back to the web service consumer. The web service consumer application can then send requests containing this authentication data to other related web services within or across domains.

Chain Authentication Service Model

All requests are received by a web service responsible for authentication and then passed, with authentication data, to one or more other web services for handling. That is, message and authentication data always flows from the authentication web service directly to the next required web service, and from there to the next web service and so on, without further interaction from the web service consumer.

Choosing the appropriate authentication service model is the first, and probably most significant, decision you must make when designing a web service implementation. Your choice of service model also plays a significant role in determining the most appropriate CA SiteMinder® Web Services Security authentication schemes to use.

How the Single-Step Authentication Model Works

The single-step service model is the simplest possible model for web services—requests from a web service consumer are authenticated and handled by a single web service. The following diagram shows the process by which web services consumers are authenticated using this simple model:

Diagram illustrating the single step authentication process

Appropriate authentication schemes for use in the single-step authentication model are as follows:

How the Multistep Authentication Model Works

The multistep authentication model is like the CA SiteMinder cookie-based single sign-on implementation, in which WS-Security headers or SAML Session Ticket assertions take the place of the cookie.

In the multistep authentication model, a single web service is responsible for authenticating all incoming web service requests. This authentication service verifies a web service consumer’s identity and returns an XML message with authentication data in the form of WS-Security headers or a SAML Session Ticket assertion. The web service consumer can then use this to add to subsequent requests to facilitate authentication by other associated web services.

The process that the web service consumer goes through when making a request has two phases:

  1. Obtaining the authentication data
  2. Using the authentication data to access other web services

The following illustration shows how request are processed in the multistep authentication service model:

Diagram illustrating the flow of data during multi-step authentication

  1. The web service consumer sends a request for access to a protected web Service in the form of an XML document.
  2. The SiteMinder WSS Agent receives the request, extracts credentials and passes them to the Policy Server, which authenticates the web service request with an appropriate authentication scheme.

    After authentication, the request goes through the authorization process. A response attribute associated with the authorizing policy causes the Policy Server to generate a response which it sends to the SiteMinder WSS Agent, instructing it to return authentication data to the web service.

  3. The web service returns the authentication data back to the web service consumer (typically in an XML document, but synchronized sessioning SAML assertions can also be returned in HTTP headers or a cookie).
  4. For subsequent requests, the web service consumer passes XML messages that include the authentication data it received from the authentication service to other associated web services.
  5. The requests are allowed access without having to reauthenticate because the authentication data is supplied with the request message (in effect, providing single sign-on).

Appropriate authentication schemes for initial authentication by the authentication web service in the multistep authentication model are as follows:

The authorizing policy for the authentication web service should trigger one of the following response types:

These responses instruct the SiteMinder WSS Agent to pass authentication data in the form of WS-Security headers or SAML Session Ticket assertions (as appropriate) back to the web service consumer for use in requests to associated web services. The associated web services should be protected using the corresponding authentication scheme:

More information:

Multistep and Chain Authentication Using SiteMinder Session Tickets

How the Chain Authentication Service Model Works

The chain authentication model is appropriate for solutions that require XML messages to flow between multiple web services without further intervention from the requesting web service consumer.

In the chain authentication service model, a single web service is responsible for authenticating all incoming web service requests. This authentication service verifies a web service consumer’s identity, and then adds authentication data in the form of WS-Security headers or a SAML Session Ticket assertion to the XML message. It then passes the document to downstream web services for processing.

The following illustration shows the flow of data in the chain authentication model.

Diagram illustrating the flow of data during chain authentication

  1. The web service consumer sends a request for access to a protected web Service in the form of an XML document.
  2. The SiteMinder WSS Agent receives the request, extracts credentials and passes them to the Policy Server, which authenticates the web service request with an appropriate authentication scheme.
  3. After authentication, the request goes through the authorization process. A response attribute associated with the authorizing policy causes the Policy Server to generate a response which it sends to the SiteMinder WSS Agent, instructing it to return authentication data to the authentication web service.
  4. The authentication web service sends the XML message and authentication data to the next web service downstream.
  5. Downstream web services are configured so that each passes the XML message and authentication data to the next web service in the chain. The requests are allowed access without having to reauthenticate because of the authentication data supplied with the request message.

The most appropriate authentication schemes for initial authentication of requests from the web service consumer by the authentication web service in the chain authentication model are as follows:

The authorizing policy for the authentication web service should trigger one of the following responses:

These responses instruct the SiteMinder WSS Agent to add WS-Security headers or SAML Session Ticket assertions (as appropriate) to the XML request passed to the next downstream web service in the chain, which should then be protected using the corresponding authentication scheme:

More information:

Multistep and Chain Authentication Using SiteMinder Session Tickets

Multistep and Chain Authentication Using SiteMinder Session Tickets

Although CA SiteMinder® Web Services Security is primarily designed to provide message content-based security for web services, it also provides limited support for CA SiteMinder® session ticket-based session management. A CA SiteMinder® session cookie contains basic information about the user account that is associated with a request and authentication information for that user. The session cookie can be used to identify a user session across all sites within a single cookie domain in your WSS environment..

SiteMinder WSS Agents always add session cookies to HTTP request headers upon successful authentication and authorization. SiteMinder WSS Agents that have access to HTTP header information can be configured to authenticate a request using a session cookie in the HTTP request header. In this case, there is no need to configure responses to generate other token types at the authentication web service.

For example, in the following environment, session cookies can be used without the need to configure WS-Security or SAML Session Ticket responses at the authentication web service:

To configure SiteMinder WSS Agents to validate requests using associated session tickets, set the XMLSDKAcceptSMSessionCookie agent configuration parameter. See the SiteMinder WSS Agent documentation for details.