WIND offers an additional protocol beyond basic authentication which allows an application to obtain tickets on behalf of a user in order to connect to other applications. This is intended for WIND clients that would ordinarily require users to login to several different sites, such as portals.

You will need to understand this feature if you are going to implement a portal-like system (which acts as a front-end to other WIND secured services), or if you choose to permit your service to function within a portal system which uses WIND.

Proxiable credentials allow an application (such as a portal) to request WIND tickets on behalf of a user without requiring a separate login for each ticket. The application can then present the ticket to other WIND clients as if it were the user in order to obtain information or services that the user wants.

As a WIND client, you can choose whether or not to accept these tickets. You can decide to reject all proxied tickets, or to accept them. If you decide that you will accept them, you must use the XML-formatted response, which will tell you whether the ticket you are validating is a regular ticket or a proxy ticket, and if it is a proxy ticket which application(s) obtained it.

If you want to make sure that users always login to your application directly rather than through a portal, you should choose not to accept proxied tickets. This ensures that the user is coming to your site directly from the WIND login. If you want your application to have the greatest possible accessibility, including easy access from a portal, then you should accept proxy tickets.