In medium to large scale enterprise deployments, authentication and authorization are handled by an external identity management server such as WSO2 Identity Server. The web service client or the server can participate in authentication and authorization.
As shown in the following figure, the web service client sends a request along with its credentials to Synapse, and the authentication and authorization mediator will talk to the identity management server and verify these credentials. Thereafter, the request will be passed on to Axis2 for processing, and Axis2 will send the response to Synapse, which will forward it to the service client that originated the request.
The second pattern is where the service client itself can talk to the identity management server, as shown in the figure below. Here, WS-Trust or some other security token-based protocol is used. The flow sequence is as follows:
The service client sends a Request Security Token (RST)...