We need to authenticate in our target application with the credentials of the user initiating the interface request in the source application.

i.e. user logs into application A
user requests function which uses an interface to application B
application B needs to verify that the originating user has appropriate access to perform function.

I suspect this is a well-known and commonly needed design pattern (though in loosely-coupled interfaces we try to avoid). How do we resolve this without passing ID/PW in the webMethods document? Are there any known solutions that leverage single signon technology such as Oblix?

Note: We're in webMethods 6.01...

Beth,

There are a couple of ways to implement SSO. The easiest is to develop a custom Java service that calls out to your central security mechanism and validates the SSO token. You can also do this kind of thing in a custom authentication module. This is how integration with SiteMinder was accomplished. Take a look at the security section on Advantage for more information.

-- Tim

I have a similar problem. I am using SiteMinder in front of a web application (WebSphere). The user logs on to the web app, is authenticated against SiteMinder. When the user wants to make an update to our system, a web service is called to perform this functionality (via webMethods). The user is restricted to the services that they can access.

With SSO, the ACLs must be set to anonymous, but we wanted to use the ACLs to restrict access to specific services. I have the security package from WM for SiteMinder, but do I have to create a custom authentication mechanism that is performed to determine if a user is allowed to access a service AFTER the service has been accessed?

Is there another way to pass a security token from the web app to webMethods to facilitate this?