Database Reference
In-Depth Information
As per the WS-Security standards, the username token and binary security token
can be used for authenticating users. The username token can be added as part of
SOAP headers. The different types of username token models available are as fol-
lows:
• Username and password
• Kerberos tickets
• SAML assertions
• PKI through X.509 certificates
• Custom token
Apart from WS-Security, some of the other OASIS standards for SOAP security
are
WS-Policy
,
WS-Trust
,
WS-Privacy
,
WS-SecureConversation
,
WS-Federa-
tion
, and
WS-Authorization
.
SAML is mainly used for achieving
Single-Sign-On
(
SSO
). The username token
SAML provides message level authentication along with SSO. The SAML token can
be used for propagating identity across multiple web services in a single transaction
without transferring the username and password. It can also exchange the authoriz-
ation and authentication data across security domains using tokens.
The basic concept of SAML for SSO is shown in the following diagram. If a user
authenticates in one domain or website then the user doesn't need to authenticate
again for other domains or websites.
For example, suppose a user logs in to a website. The website authenticates the
user and creates a SAML for its partner websites. If the user tries to log in to the
partner website(s), then it verifies the SAML token with the SAML provider instead
of asking for the username and password again. If the SAML token verifies success-
fully then the user will be able to auto login to partner website(s) without re-entering
the username and password. Major websites and service providers such as Google,
AOL, and Yahoo have implemented SAML-based authentication for their multi-do-
main web assets.
