Sun OpenSSO Enterprise 8.0 Deployment Planning Guide

Use Case 3

The following figure illustrates the process flow for a bank loan web service using a X509 security token.

Figure 11–8 Process Flow for a Bank Loan Web Service Using an X509 Security Token

Communication among Security Token Service, Web
Service Clients, and Web Service Providers.

  1. WSC1 authenticates to STS1 with its X509 token.

  2. WSC1 gets the SAML1 token (owner is WSC1).

  3. WSC1 secures web service to WSP1 with its SAML1 token.

  4. WSP1/WSC2 passes through just this SAML1 token of WSC1 to WSP2.

    Secures web service to WSP2 with SAML1 token of WSC1.

  5. WSP2 then authenticates to STS2 with its X509 token.

    Sends SAML1 token of WSC1 as On Behalf Of token in order to convert it to SAML2 token for WSC1.

  6. STS2 sends back to WSP2 the converted SAML token for WSC1.

The following are suggested configurations:

  1. Web Service Client agent - profile name is LoanRequestorService for WSC1

    Security Mechanism:


    STS Configuration:


  2. Web Service Provider agent - profile name is wsp for WSP2

    Web Service Provider End Point:


    Authentication Chain:


    Token Conversion Type:

    SAML2 token

  3. WSC agent - profile name is LoanProcessorService for WSC2

    Use Pass Through Security Token: