The following figure illustrates the process flow for a secured stock quotes web service using a Kerberos security token.
The Web Service Client authenticates to STS1 instance with the end user's Kerberos token .
The end user logs in to the Desktop at the Web Service Client. This can be viewed as a Kerberos token for the Web Service Client, too.
The Web Service Client gets the SAML token for the end user (Web Service Client).
The Web Service Client then talks to the STS2 (Token Mapping Service) .
The Web Service Client converts the end user's (Web Service Client) SAML token to a functional SAML token.
This is called an organizational SAML token, and used as an authentication token of the Web Service Client to STS2. Here the functional SAML token has the same identity or owner as the original SAML token, but with more attributes and privileges.
The Web Service Client then secures the web services request to the Web Service Provider with the functional SAML token.
The following are configuration suggestions for this use case:
STS client agent - profile name is STS1
Kerberos
of STS1 service
of STS1 service
STS client agent - profile name is STS2
STSSecurity
STS1
of STS2 service
of STS2 service
WSC agent - profile name is StockService or WSC
STSSecurity
STS2
Default