SOAP Authentication

Hi All,

I am very new to this forum and web methods so please furgive me if i am asking you any stupid question.

I have developed a flow service using IS 6.1 and planning to share WSDL files with the clients so that they cann call the web service from their custom application. Now the question is how can i authenticate those user who are going to send me SOAP message?


Authentication occurs at two levels. First, the sender has to have permission to post the message to IS. That permission is typically granted using basic authentication (username and password) and controlled using the ACL of the Flow service that will receive the message.

Message-level authentication uses a WS-Security token. In IS releases prior to 7.1.x, the developer had to create a custom soap processor to intercept the soap request, extract the WS-Security token and authenticate it against some user repository or ID management solution. In IS 7.1 and later, some basic WS-Security functionality is built into IS and can be configured using the WSD provider.


Thanks Mark,

The WSDL which i have created for flow service don’t have any parameters to pass user id and password. Can you tell me how can i add the same in WSDL or if user passes the credenitals how IS will authenticate it.


Your questions appears to indicate that you are unfamiliar with the role of WSDL and perhaps web services in general. You would probably benefit from some good material on web services basics and web services security. Before reading the Web Services Developer’s Guide provided by WM, I would search the web for some basic tutorials or primers to help put things in perspective.

When a soap client (web service consumer) posts a message to a web services provider, it can use the HTTP protocol to supply credentials for basic authentication. It can also include a username token in the request header (soap:header) if the service requires WS-Security message-level authentication.

IS 6.5 does not support WS-Security out of the box, but you must provided at least basic authentication credentials to invoke an IS Flow or Java service using HTTP.