Use Case 1

The following figure illustrates the process flow for a secured stock quotes web service using a Kerberos security token.

Figure 11–6 Process Flow for a Stock Quote Web Service Using Kerberos Security Token

1. The Web Service Client authenticates to STS1 instance with the end user's Kerberos token .

   The end user logs in to the Desktop at the Web Service Client. This can be viewed as a Kerberos token for the Web Service Client, too.

2. The Web Service Client gets the SAML token for the end user (Web Service Client).

3. The Web Service Client then talks to the STS2 (Token Mapping Service) .

4. The Web Service Client converts the end user's (Web Service Client) SAML token to a functional SAML token.

   This is called an organizational SAML token, and used as an authentication token of the Web Service Client to STS2. Here the functional SAML token has the same identity or owner as the original SAML token, but with more attributes and privileges.

5. The Web Service Client then secures the web services request to the Web Service Provider with the functional SAML token.

The following are configuration suggestions for this use case:

1. STS client agent - profile name is STS1

   Security Mechanism:

   Kerberos

   STS End Point:

   of STS1 service

   STS Max End Point:

   of STS1 service

2. STS client agent - profile name is STS2

   Security Mechanism:

   STSSecurity

   STS config:

   STS1

   STS End Point:

   of STS2 service

   STS Max End Point:

   of STS2 service

3. WSC agent - profile name is StockService or WSC

   Security Mechanism:

   STSSecurity

   STS config:

   STS2

   WSP End Point:

   Default