The user specified in soap.username is known as the proxy user.
You can specify only one password property for the proxy user:
Specifying soap.password is the simplest option, but this property exposes a clear text password in the properties file.
Specifying soap.epassword is a more secure option, but you must perform extra steps to generate an encrypted password.
Establishing a proxy user is convenient for clients because authentication is not required by the web service. This configuration is common for portal environments where the Identity Manager server is only accessed by other applications that handle user authentication.
Using a proxy user can be dangerous if the HTTP port on which the responding server resides is generally accessible. Anyone who knows the Identity Manager server’s URL and understands how to build SPML requests can configure Identity Manager operations for the proxy user to perform.
The SPML standard does not specify how to perform authentication and authorization. Several related web standards are available for authentication, but these standards are not yet in common use. At this time, the most common approach for authentication is to use the Secure Socket Layer (SSL) between applications and the server. Identity Manager does not dictate how to configure SSL.
If you cannot use a proxy user or SSL, Identity Manager supports a vendor-specific extension to SPML that allows the client to log in and maintain a session token, which can be used to authenticate subsequent requests. You can use the LighthouseClient class (an extension of the SpmlClient class that includes support for specifying credentials) to perform a login request and pass a session token in all SPML requests.
The Service Provider SPML interface does not support authentication and authorization. However, you can configure the Identity Manager SPML interface to use the IDMXUser view instead of using Service Provider SPML.
Service Provider assumes that clients accessing Identity Manager have been authenticated and authorized by an access management application. The client has all possible rights when using the Service Provider SPML interface.
To prevent sensitive data from being exposed between the client and Identity Manager, consider accessing the Service Provider SPML interface over SSL.