Session authentication protocol for web services

The recent development of Web services allows composition of a business flow by combining business processes provided by separate business via the Internet. One instance of a business flow can be executed by multiple service instances of the Web services of the participating business entities. At the same time, one business entity may have multiple services and service instances serving many different customers simultaneously. To establish trust relationships among these service instances, a new set of security protocols is necessary. We present a design for a session-oriented, multi-party authentication protocol based on standard Web service technologies such as SOAP, XML-Signature/Encryption, and SOAP-DSIG. The protocol consists of a message authentication protocol and a session management protocol.