Understand Security for Web Service Connectors

The flow of communication in a secure, context-dependent interview is as follows:

1. A user logs onto a web application which generates a session ID.
2. The user requests a resource which either re-directs the user to a standalone Intelligent Advisor interview, or embeds the interview pages within one of its own pages.
3. The interview may need to load or save data specific to that user, so the session ID is encrypted and passed on the start session URL as a parameter.
4. Parameters which were set on the start session URL will be included in the SOAP body of subsequent Load and Save requests. The connector will need to decrypt and validate any identifying tokens to allow access to and make context dependent data transactions with the underlying database. Authentication of the identifying token with another service could use the SAML standard, however the specific implementation of token validation is up to you.
5. The connector returns the loaded data to the Intelligent Advisor interview, which renders the next interview page.

The diagram below shows this flow between a user, a possible web application, the Intelligent Advisor interview service and a possible web service connector (hover over the diagram to enlarge it). The diagram uses an encrypted session ID as the identifying token to complete a Load request. A similar flow of communication would occur for subsequent Save requests.