Usage Cases for Identifying/Authenticating Clients
When deciding which type of identifier to use to identify a client, consider the following points:
![*](bullet.gif)
Whatever identifier you choose to identify a client, it must be unique to the application. Identifiers that represent user names are often not suitable because the identified users might submit requests for multiple APIs.
![*](bullet.gif)
Identifying applications by IP address or host name is often a suitable choice, however, it does create a dependency on the network infrastructure. If a client moves to a new machine, or its IP address changes, you must update the identifiers in the application asset.
![*](bullet.gif)
Using X.509 certificates or a custom token that is extracted from the SOAP message itself (using an XPATH expression), is often the most trouble-free way to identify a client.
Following are some common combinations of actions used to authenticate/identify clients:
Scenario 1: Identify clients by IP address or host name
Scenario 2: Authenticate clients by HTTP authentication tokenUse the following actions:
Scenario 3: Authenticate clients by WS-Security authentication tokenUse the following action:
Scenario 4: Authenticate clients by WSS X.509 certificate