How is a SAML token used by OWSM for identity propagation?

How is a SAML token used by OWSM for identity propagation?

A.
As each web service in a chain is invoked, OWSM generates a SAML token and inserts it in the
WS-Security header of the request message.

B.
A SAML token is generated on invocation of the first web service in a chain and is stored in the
Java Authentication and Authorization (JAAS) Subject so it can be used throughout the transaction
by subsequent web services.

C.
A SAML token is used to determine the destination address of the next web service in the
chain.

D.
The SAML token, embedded in the X.509 certificate or Kerberos ticket, is extracted by OWSM
and delivered to the next web service in the chain.

Explanation:
Propagating Identities through a Chain of Web Services
A web service may invoke another web service which in turn may invoke yet another web service
to complete a single transaction (this pattern is known as “chained web services”). Each of the
services in the chain may be protected. Instead of checking which service is calling which other
service, Oracle WSM allows you to check who the original user invoking the chain of web
services is. Oracle WSM policies can be used to propagate the original user’s identity across the
chained web services. Following successful authentication to the first web service in the chain,
Oracle WSM sets the user as a Java Subject used throughout the transaction. When invoking
another service, the Oracle WSM client policy picks up the user identity from the Java Subject,
generates a SAML token based on the Subject’s information, and inserts the SAML token in the
WS-Security header of the request message to be sent to the service provider. This allows all the
web services in a chain to track the identity of the actual user calling a web service endpoint
instead of having the identity of the prior service in the chain calling the first web service to get

that information.
Note:
* Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for
exchanging authentication and authorization data between security domains. SAML 2.0 is an
XML-based protocol that uses security tokens containing assertions to pass information about a
principal (usually an end user) between a SAML authority, that is an identity provider, and a SAML
consumer, that is a service provider. SAML 2.0 enables web-based authentication and
authorization scenarios including cross-domain single sign-on (SSO).