Oracle Web Services On Demand Guide > Establishing and Managing the Web Services Session > Using Stateless Web Service Requests >

Oracle CRM On Demand Stateless Authentication Mechanisms

Stateless login is available on all APIs. Stateless Web services requests for the Web Services v1.0, Web Services v2.0, Services, and Data Loader APIs can be authenticated using:

• UserName and Password provided in SOAP security header (using WSSE Version 1.0 Namespace)
• Oracle CRM On Demand Single Sign On (SSO) Token provided in SOAP security header
• SSO with SAML v1.1 or v2.0

For the Administrative Services APIs only, the following login options are supported for stateless Web services requests:

• UserName and Password provided in SOAP security header (using WSSE Version 2.0 Namespace)
• Oracle CRM On Demand Single Sign On (SSO) Token provided in SOAP security header
• SSO with SAML v1.1

Login with UserName and Password in the SOAP Security Header

The ability to supply a user's credentials is due to support for the UserNameToken profile of the WS-I Basic Security Profile Version 1.0. In this case, the SOAP header contains the element <wsse:UsernameToken>, which has child elements containing a username and password:

<soap:Header>

<wsse:Security soap:mustUnderstand="1">

<wsse:UsernameToken>

<wsse:Username>USERNAME</wsse:Username>

<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>

</wsse:UsernameToken>

</wsse:Security>

</soap:Header>

NOTE:  URL encoding of login credentials is not supported when they are provided in the SOAP security header.

For the Administrative Services API, a similar login mechanism is used, but with a WSSE Version 2.0 namespace instead of the WSSE Version 1.0 Namespace.

Login with Oracle CRM On Demand Single Sign-On Token in the SOAP Header

This login mechanism is a type of outbound SSO, see Outbound SSO.

The client application supplies the SSO token in the <wsse:KeyIdentifier> element of the SOAP header:

<soap:Header>

<wsse:Security>

<wsse:SecurityTokenReference>

<wsse:KeyIdentifier ValueType="http://schemas.crmondemand.com/ws/2011/01/secext#SSOTokenKeyIdentifier">$6$qx6pJ/czNwO1trwQRazQ26j4osNiQHMoqQSwRfpz/6HX2D5cw=;$6$IjwKO/BBoBW5oiuqC7P/TxwOBX1LxVpExR9vp7P5J/kixzGFWIjxHyRye7zy9Ld2g2vKp4W4jykxjbgF3KE8CFOGmD5g==</wsse:KeyIdentifier>

</wsse:SecurityTokenReference>

</wsse:Security>

</soap:Header>

NOTE:  URL encoding of the SSO token is not supported when provided in the SOAP security header. If the SSO token is URL encoded, it must first be decoded before supplying it in the SOAP security header.

The SOAP request will not be processed if the SSO token expired. It is best practice to validate the SSO token before using it for login, see SSO Token Validation.

SSO with SAML v1.1 or v2.0

This login mechanism is a type of inbound SSO, see Inbound SSO.

For SSO using Security Assertion Markup Language (SAML), Oracle CRM On Demand only supports the SAML Web Browser Profiles - the Browser/Artifact Profile and the Browser/POST Profile using the Proprietary Token method.