Security process flow with SAML tokens for the synchronous callout scenario

For the synchronous callout scenario, you can deploy a callout web service and specify either a SAML 1.1 or SAML 2.0 unsigned token to send user ID information to the external web service for further authentication and authorization.

When you deploy a synchronous callout web service, if a SAML token type is specified, SOAP Gateway generates the SAML token for the callout web service. SOAP Gateway extracts the user ID from the correlation token that comes with the IMS synchronous callout request. This user ID is passed in the SOAP header to the external web service for further authentication and authorization.

The following figure shows the processing between SOAP Gateway and the external web services when WS-Security is enabled for the callout application. The diagram does not include details on the communications between IMS and SOAP Gateway for callout request processing.

Figure 1. Security process flow with SAML token support for synchronous callout
Begin figure description. The diagram shows the process flow for the web service provider scenario when AT-TLS is used to handle the security with either a SAML token or a user name token. End figure description.
  1. A deployed callout web service on SOAP Gateway receives the callout request message in XML, and parses the message to retrieve the service and payload data.
  2. Based on the service name and operation name values, SOAP Gateway obtains from its runtime configuration the corresponding correlator file and the web service information for invoking the web service.
    • The correlator file indicates that WS-Security is enabled for this callout web service.
    • The callout web service was deployed with either a SAML 1.1 token or SAML 2.0 token.
  3. SOAP Gateway sends the request to the external web service with the SOAP Gateway generated SAML token through SSL over HTTP.
  4. The external web service server and SOAP Gateway exchanges security credentials:
    1. The server sends back a certificate.
    2. SOAP Gateway verifies the certificate with the server certificate that is stored in the truststore.
    3. SOAP Gateway sends the server a client certificate.
    4. The server verifies with the client certificate that is stored in the truststore.
    5. SOAP Gateway is allowed to execute a web service.
  5. The external web service extracts the user ID from the SAML token and does additional authentication and authorization checking.
  6. The response from the external web service is sent back to the original IMS application that is waiting in the IMS dependent region