The Authentication Web Service defines how to perform authentication using SOAP. The exchange of authentication information between a web service consumer (WSC) and the web service provider (WSP) is accomplished using SOAP-bound messages. The messages are a series of client requests and server responses specific to the defined Simple Authentication and Security Layer (SASL) mechanism (or mode of authentication). After receiving a request for authentication (or any request from the WSC), the WSP may issue additional challenges, or indicate authentication failure or success. The Authentication Web Service is for service-to-service (non-user) authentication. The following steps describe the sequence between the WSC and the Authentication Web Service (a WSP).
The authentication exchange begins with a WSC sending an SASL authentication request to the Authentication Web Service on behalf of a principal.
The request message contains an identifier for the principal and indicates one or more SASL mechanisms from which the service can choose.
The Authentication Web Service responds by asserting the method to use and, if applicable, initiating a challenge.
If the Authentication Web Service does not support any of the cited methods, it responds by aborting the exchange.
The WSC responds with the necessary credentials for the chosen method of authentication.
The Authentication Web Service replies by approving or disproving the authentication.
If approved, the response includes the credentials the WSC needs to invoke other web services (like the Discovery Service).
The following Authentication Web Service global attribute can be configured for your implementation.
The following task is associated with configuring the Authentication Web Service:
The Mechanism Handler List attribute stores information about the SASL mechanisms supported by the Authentication Web Service. To add or modify these values, see To Configure a Mechanism Handler.
In the Federation Manager Console, click the Web Services tab.
Under Web Services, select the Authentication Service tab.
Under Mechanism Handlers List, click Add or Edit to display the Mechanism Handler attributes.
Provide values for the attributes.
Defines the SASL mechanism supported by the Authentication Web Service.
The Authentication Web Service provides a handler interface that needs to be implemented in order for each SASL mechanism to process the requested message and return a response. The class parameter specifies the name of the implementation class for the SASL mechanism. Two authentication mechanisms are supported out-of-the-box by the following classes:
This class is the default implementation for the PLAIN authentication mechanism. It maps user identifiers and passwords in the PLAIN mechanism to the user identifiers and passwords in the LDAP authentication module under the root organization.
This class is the default implementation for the CRAM-MD5 authentication mechanism.
Click OK or Save to complete the Mechanism Handler configuration.
Click Save on the Authentication Web Service page to complete the service configuration.