Authentication and Authorization

This topic provides an overview of how the service handles authentication and authorization.

The Doc Services web service is integrated with the claims-based identity system used throughout Wolters Kluwer Financial Services' distributed applications. This model requires that all data access requests pass through the core services where they are authenticated by a Security Token Service (STS). In this model, the STS issues security tokens (or software tokens) as part of the claims-based identity system.

In cases where the service is employed to access content from the Expere environment, authentication and authorization occurs with a service account rather than a named entity. If the calling application is defined as a service account from an administrative perspective, the service authenticates the service account.

The Doc Services web service, as a secure application within the Wolters Kluwer Financial Services application development domain, does not perform authentication directly (for example by validating credentials submitted on a request message) but rather redirects the client to the STS. The STS then performs authentication of the client and issues a security token. The Doc Service validates that the security token originates from a trusted STS and then authorizes the request accordingly.

At a high level, the workflow might look like this. When an unauthenticated user submits a request message to the service, the request is redirected to the identity provider (STS). Once authenticated, the identity provider redirects the request back to the original application with a token that the original application (the service provider; in this case, the Doc Service) verifies. Once the token is verified, the requested resource is served by the service.

About security and STS

Messages can be encrypted to protect privacy and require users to authenticate themselves before being allowed to receive messages.

A Security Token Service (STS) is a component that issues security tokens and authenticates the identity of the requesting user (or system). In this capacity, STS is the identity provider.

STS operates in accordance with industry standard WS-Trust and WS-Federation protocols under WS-Security specialization. As such, the token service is the issuing, renewing, and validating authority for security tokens and establishes the trust relationship between participants in a secure message exchange.

Secure Sockets Layer certificates are ordered through Entrust and expire two years from the date of purchase. Typically, updates do not occur; however, users are notified if any updates are required.

Transport-Layer Security (TLS) is also employed, which technically uses an X.509 certificate for asymmetric cryptography.

Implementation

The implementation involves the use of an open source third-party project that interacts with Windows Identify Foundation (WIF) as an identity-aware application.

The service delegates authentication to the STS by establishing the appropriate references and trusts in the WIF libraries and web configuration files. The WS Federation bindings supporting this functionality are contained in the policy at the service level.