2.14 Passing Additional Credentials in Web Service Call

The usual way to pass credentials is using an attribute assertion inside <wsse:Security> header. Such attribute assertion identifies the calling user. Sometimes additional credentials identifying the actual resource are passed in <TargetIdentity> SOAP header. However, both of these methods basically admit single credential (which can contain other credentials as attributes) typically not signed by the Requester. If Requester needs to add additional credentials, it can use <tas3:Credentials> element.

  <e:Envelope>
    <e:Header>
      <wsse:Security>...</>
      <tas3:Credentials xmlns:tas3="http://tas3.eu/tas3/200911/">
        ... reuse XACML or SAML attribute schema
      </tas3:Credentials>
    </e:Header>
    <e:Body>...</>
  </e:Envelope>