6 Replies Latest reply on Jan 21, 2015 4:24 AM by jorgemoralespou_2

    Multiple authentication policies depending on client

    richardhands

      Hi,

       

      I want to be able to implement a service which can be exposed to both internal systems, where the users have already authenticated, and also as an external web service, but i want to minimize the security performance overhead for the internal applications, as they're on a secure & trusted network.

       

      My initial idea was to have a reverse proxy to do SSH termination from external sources, and set up the service so that it requires authentication from that route, and nothing from the internal route but I can't work out how i might achieve that.

       

      So I also came up with a possible alternative around multiple different authentication options, but again I'm not sure if it would work

       

      do you think either of these will work?

       

      1) authentication/authorization only from one set of clients (identified for example by subnet, so calls from one subnet are known internal and safe, calls from the other are known to be coming via the proxy and thus must be authenticated)

       

      2) multiple authentication policies on the service, one locked to a particular certificate, which would be the internal route, and one requiring authentication details within the SOAP header

       

      or if neither of these is viable, can anyone suggest any other approaches?  (I'm trying to avoid having to write some custom implementation to determine this but will happily do so if necessary)

       

       

      Thanks