User name token overview

User name tokens allow you to secure data with the WS-Security UsernameToken element. A user name token transfers user credentials as part of exchanges that are sent to and received from a trading partner. Those user credentials are then used to authenticate the sender or receiver of an exchange.

The types of security tokens that are defined by WS-security are user name tokens and binary security tokens. The specification also includes extensibility mechanisms that you can use to further describe the characteristics of the credentials that are included with a message.

A user name token is a type of security token that is configured as part of a custom conformance policy. A user name token is the WS-Security UsernameToken element that encapsulates the user name and password during custom authentication. When you send an exchange to a trading partner, a user name token authenticates that the message was sent by you. Conversely, when you receive an exchange from a partner, the user name token authenticates that the exchange was sent by your partner. For inbound exchanges, AS4 Microservice extracts the contents of the user name token to use to authenticate the sender. Additionally, the system uses the returned subject to verify (through the allowed subject list in the exchange profile) whether the sender is authorized to send you AS4 messages.

When you use a security token, the ValueType attribute identifies the type of the security token, and the EncodingType element indicates how the security token is encoded (for example, using Base64Binary).

In addition to containing the user name and password, the user name token defines the type of the password. A password can be sent either as plain text or formatted as a digest hash. A digest hash secures the password by obscuring it with a unique string of data, or password digest, to preclude an intermediary from viewing the password.

A nonce is a unique random string that identifies the password. The nonce is 16 bytes long and is passed along as a base64 encoded value. Using a nonce as part of the user name token helps to prevent replay attacks. However, the use of a nonce requires the server to maintain a cache of used nonces, which can affect system performance. When you combine a nonce with a creation time stamp you can negate the performance impact by allowing the server to limit the cache of nonces to a specified time period.

The password digest is the concatenation of a nonce (a unique random string that identifies the password) plus the creation time of the security token plus the password. When you configure a user name token as part of a conformance policy, you enable the creation of the password digest to be included in the user name token instead of a plain text password.

When you configure the user name token for a conformance policy, the system prompts you to enter the user name and password values in the exchange profile. If the user name token includes a password digest, the system retains the confirmation nonce and creation time in the tracking information for the exchange, and the exchange contains the UsernameToken element in the WS-Security header of the messages you send.