OTAuthentication SOAP Header |
When an external application sends a SOAP request to Process Platform, authentication information must also be included with the SOAP request. Process Platform supports different types of authentication information, among other OTDS tickets. After the Administrator configures OTDS Resources and Trust, Process Platform accepts inbound SOAP requests with OTDS tickets as the proof of authentication.
The OTDS ticket information must be available in a node called AuthenticationToken, which is wrapped in a node called OTAuthentication. The OTAuthentication node is a child of the SOAP header. The OTAuthentication node can be sent along with any SOAP request and is not limited to the Authentication Request.
When the Process Platform receives a SOAP request with an OTDS ticket in the OTAuthentication SOAP header, it validates that ticket against the trusted OTDS server. After the validation of the OTDS ticket, the OTDS server returns the user-id of the corresponding user. Process Platform then searches for an authenticated user and an organizational user based on the user-id, and trusts that user-id when performing the actual request.
Note: Additional calls to the OTDS server to validate the OTDS ticket has a performance impact. It is recommended to use the OTAuthentication header authentication to request a Process Platform-specific SAML artifact for use in subsequent calls.
Example SOAP Request
The following is an example of a SOAP request to retrieve SAML assertions from Process Platform where the authentication is done based on the provided OTDS ticket in the SOAP header.
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP:Header> <OTAuthentication xmlns="urn:api.ecm.opentext.com"> <AuthenticationToken>*VER2*ABQz0QagVDQY_3lxtdzT7VwUFEEEowAQ-F0AfX6hCKdIXfYekJvDbwHgsfBOdDWUOcgcyCUo3I3whFbQIy99AEUAtmgaim91m-OtLXyg65S4dieHxqI2EvZjPcuE9v0ucSlkDu09MIgBm5Lq0Pwx8kqB9cQ2-nOyqY1T9rpfn7bBOA2vlZZblZE0OvmhCZNOSKI_z642BdDnOGcLJLpcGEYoTd9qYdfrH6CQI5TOE-l_SLe4xZWTQ1R6BOC_isFGmK93QuHLWxHwNbNGy5yPqN9ZIRFzPI76jF5MbEeY8I0rmGEDsZseVuRd_h6fEXjf9ogUPvOX4fK31U_mGDU_FK1VdeD9ryMC6AK-jbSdRONunFXvrZFa-mP4ZVqpRyKGi1HXebuYvAnlESDddJIsiD4usztr8WX3igUMTDk5Bnj-aQs9r10puydB44iNub9pqmWtYUbT8igiueIp3_NfXFpJga5C5AX27iJWhi_4Z3mHVz437Rj2A-Ov31ITgt74IiFzmmwXhJvk_h3ZBmcHgMyImKfGUOPZkd-tU-kpSCA3qQoPMh9LmnlE4dAxbbpO98SBthN1Z1VeZvHo_wEVoAc38TptuASZP32XQD2FW4HYS64t9SW-TzBS3w27EJhUSDxZYDxZ51y1R2pl1IXu9QuRwlSEzthkZj6JWlDUkt7fwUql6Yy4TmW_</AuthenticationToken> </OTAuthentication> </SOAP:Header> <SOAP:Body> <samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" MajorVersion="1" MinorVersion="1" IssueInstant="2014-05-20T15:29:49.156Z" RequestID="a5470c392e-264e-9537-56ac-4397b1b416d"> <samlp:AuthenticationQuery> <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"></saml:NameIdentifier> </saml:Subject> </samlp:AuthenticationQuery> </samlp:Request> </SOAP:Body> </SOAP:Envelope>
Example SOAP Response
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP:Body> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" ResponseID="A0050568B-0048-11E3-FC06-71F9A6615F04" MajorVersion="1" MinorVersion="1" IssueInstant="2014-05-20T15:29:49.199Z" InResponseTo="a5470c392e-264e-9537-56ac-4397b1b416d"> <Signature xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="#A0050568B-0048-11E3-FC06-71F9A6617F04"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>OwNCVXqfWIqTl8mWYI70JRGtHww=</DigestValue> </Reference> </SignedInfo> <SignatureValue>CPM3IK/UtNCZhFpIGx/REBiJ9wJ0NR5T2s0faNQW5sJhiKSTRbkp1aqiQzt7m6brJetic3dPVzgBwi4t3j19gE/TW1CgQODJwNKZFjatx5t+mG3PmOczA5KWb/dp2fZSyC/Hb90IuIN5SKkk8hlcbBymZOdVOjfOA6+pugpob00=</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>MIICXTCCAUWgAwIBAgIPUFaLAEgR4/v31DmtE/8EMA0GCSqGSIb3DQEBBQUAMDAxDzANBgNVBAoTBnN5c3RlbTEdMBsGA1UEAwwUbW9uaXRvckBzcnYtbmwtY3JkMzgwHhcNMTQwNTIwMDEzMjQ3WhcNMjQwNTE3MDEzMjQ3WjAqMRcwFQYDVQQDEw5zaW5nbGUgc2lnbi1vbjEPMA0GA1UEChMGc3lzdGVtMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8hMDOmYbgkRd8FFIIWpnVaPF37WrHPNbaeo589AnZ1F/Hz0G3N7PKlTu2C2horcxMI913S0SwzwbMY0U6GBeGmQnpQQ5vtVl3tfvTKfTkANHXfvnj76okCQm20OLAeUgAHNPDrHlk2DYqhd1HgJW8XAz6B6uoLWvOeelZhKYmGwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBLpYQt98NCGUKOUUc3+yrRD1orBrRh2romOkZGMwQHwE/n5+ZczlHCiKQoQ8vkL3tp/Y/53sLXHQTsp/Qki84DgGUQfe8JdBPOK/jXlgrLxX1h5/lLjlZRfP+ZKd0u44X9vtTfqXzt/BJS6pofBVL9k5JxeeOlmOqfYjWG9bR8zb61jdWgsP36cV2cCPHbPMoOSMll7CW9g9v0AoVMyGK3wgLXCaeOLRITbMDKpicyWK0qc94LPujs/qBd9i1eI2GuKD0FmoGm4c7vS/SBidK+UNqXJCB+QcMBqEVKVBHFEcoJNzcTZJ+tag8RFDjfGP2oSTBz2eati2RkL5N/AjNJ</X509Certificate> </X509Data> </KeyInfo> </Signature> <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"> <samlp:StatusCode Value="samlp:Success"/> </samlp:Status> <saml:Assertion xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="A0050568B-0048-11E3-FC06-71F9A6617F04" MajorVersion="1" MinorVersion="1" IssueInstant="2014-05-20T15:29:49.200Z" Issuer="https://www.cordys.com/SSO"> <saml:Conditions xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" NotBefore="2014-05-20T15:24:49.200Z" NotOnOrAfter="2014-05-20T23:29:49.200Z"/> <saml:AuthenticationStatement xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2014-05-20T15:29:49.200Z"> <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">jopl</saml:NameIdentifier> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion> <samlp:AssertionArtifact xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">MDGeMioCNVSvxl76ZD5hEmc56SbrNva5JH7ESkQZ6lZE6Bt1DCjDqkIt</samlp:AssertionArtifact> </samlp:Response> </SOAP:Body> </SOAP:Envelope>
Using SAMLart as HTTP header
In subsequent requests, the value in the AssertionArtifact field can be provided as authentication proof. This value can be sent through the HTTP header, SAMLart. For example:
POST https://testbop.cordys.com/home/CordysNL/com.eibus.web.soap.Gateway.wcp HTTP/1.1 Host: testbop.cordys.com Connection: keep-alive Content-Length: 181 Content-Type: text/xml; charset=UTF-8 SAMLart: MDGeMioCNVSvxl76ZD5hEmc56SbrNva5JH7ESkQZ6lZE6Bt1DCjDqkIt <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP:Body> <GetUserDetails xmlns="http://schemas.cordys.com/1.0/ldap"/> </SOAP:Body> </SOAP:Envelope>
XSD Schema for OTAuthentication SOAP Header
Below is the XSD schema for the OTAuthentication soap header.
<xsd:schema attributeFormDefault="unqualified" elementFormDefault="qualified" targetNamespace="urn:api.ecm.opentext.com" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <xsd:element name="OTAuthentication"> <xsd:complexType> <xsd:sequence> <xsd:element name="AuthenticationToken" type="xsd:string"/> </xsd:sequence> </xsd:complexType> </xsd:element> </xsd:schema>