SOAP : Use both kind of token : UsernameToken and EncryptedToken

Question

We wondering if is it compliant soap 1.1 to use 2 different token in the same soap header. In our case we are currently using only usernameToken for authentification and want to use X509 encryptedToken.

The fact is that we are not unable to identify the source of the message with our X509 Token (the distinguish name is not usable in our case) so we want to use both token :

-The X509 encrypted Token for authentification

-The UsernameToken for carying the name of sender application ( used for routing)

The message are processed by an IBM Datapower Gateway

Answer 1

SOAP is an extensible protocol hence it doesn't restrict you from doing so.

The tricky part is how to achieve what you wanted to achieve using datapower.

To do this you need to:

• run custom XSLT to extract both the tokens from message and process it the way you want.
• use AAA policy and in the extract identity phase you should choose 'custom template' and provide your XSLT for extraction of both the tokens. In the Authenticate step you can again use custom XSLT to authenticate the identity in the way you want.