Single sign-on to my IIS Web service

In regard to question 1, I am trying to extract the user from the initial logon information provided. We are going to have the username from the app be the same as the username in the radius two-factor auth. So I thought I would have the client app provide username, hardwaretoken password, and app password. I’d authenticate the user through the radius, and if it passes, then I would pass on the username and app password to the web service. After that, I just want to let the client program and the web service communicate as they normally would. Although, if I’m proxying with the F5, I assume I would need to store that sessionTokenID too.

In regard to question 2, the developer states: 1.The SessionTokenID is contained in an XML document returned from the server. a. 0VieNR5ZEc3feRNLAAB2PFwpXXUn2usBP3VOvgFGcESV7NtAZAkaxy/lZHu97l8DaHMUMsI/OM3RMfeHfZ26rJdDEiQ1etg45uOiH2N/kseJRb5heTV5yTe8k69gjg== false Demo User Power User

But, if you are going to set it up like you say, you probably do not even care about the XML returned.

We would change the developer guides and the WebAPI help documents to say that the logon request must contain their hardware token password as well, e.g: http://WebAPI/api/Authentication/Login?username=username&password=password&hardwaretokenpassword=hardwaretokenpassword

The F5 could grab the username and hardware token password from the request, do the authentication, and then allow the request to go through to the WebAPI, either stripping the hardware token password off or not (I do not think the WebAPI will care either way).

I really appreciate that you are taking the time to help with this. Thank you!

Jim