The following figure illustrates the process flow for a bank loan web service using a X509 security token.
WSC1 authenticates to STS1 with its X509 token.
WSC1 gets the SAML1 token (owner is WSC1).
WSC1 secures web service to WSP1 with its SAML1 token.
WSP1/WSC2 passes through just this SAML1 token of WSC1 to WSP2.
Secures web service to WSP2 with SAML1 token of WSC1.
WSP2 then authenticates to STS2 with its X509 token.
Sends SAML1 token of WSC1 as On Behalf Of token in order to convert it to SAML2 token for WSC1.
STS2 sends back to WSP2 the converted SAML token for WSC1.
The following are suggested configurations:
Web Service Client agent - profile name is LoanRequestorService for WSC1
STSSecurity
SecurityTokenService
Web Service Provider agent - profile name is wsp for WSP2
Default
ldapService
SAML2 token
WSC agent - profile name is LoanProcessorService for WSC2
Enabled