How To Authenticate SOAP Requests in SoapUI

Authenticating SOAP Requests

This page walks you through how to authenticate your SOAP project using SoapUI. If you are looking for more information on types of authentication standards, please visit our Authentication Best Practices page.


To get started with this tutorial download SoapUI Pro now!


How To Authenticate Soap Requests in SoapUI


The AUTH Tab at the bottom of the request message editors allows adding of authentication credentials to your request. There are quite a lot of things to know here so let’s have a more detailed look:


The Auth tab is shown at the right and complementing request properties to the left.

  • Username / Password – specifying these will use them for standard Basic Authentication (remember to set the global HTTP Preference for preemptive authentication if your server expects the credentials without an authentication challenge).
  • Domain – add this for NTLM authentication challenges. If you are authenticating NTLM, make sure to note the following in your configurations:
    • File > Preferences > HTTP Settings tab > uncheck Authenticate Preemptively preference
    • for NTLM v2 provide your username as "DOMAIN\USERNAME" or at least as "\USERNAME"
  • Outgoing WSS – Specifies which project-level Outgoing WS-Security configuration to apply to outgoing requests (see .. for details)
  • Incoming WSS – Specifies which project-level Incoming WS-Security configuration to apply to incoming response messages

The properties to the left add two more settings for automatically adding WS-Security UsernamePassword Tokens to outgoing requests:

  • WSS-Password Type -  which type of Password to use (Digest, Plain Text, etc)
  • WSS TimeToLive  - the TTL value for the added credentials

The values specified in the corresponding username / password fields will be used. Here comes an example setup:


Here we have entered a simple username and password and specified to add a UsernameToken to the outgoing request. After the request is sent we have a look in the Raw request view:


Here you can see the following:

  • The HTTP Authentication Header has been added at the top (because I have set preemptive authentication to true in my global http preferences)
  • The Created and Expires elements have been added (since we specified a TTL value)
  • The Username and Password values are added.
  • A Nonce is added in accordance with the UsernamePassword Standard.

Tip: If you want more control over the UsernamePassword Header create an outgoing WSS configuration at the project level instead where you have more options to play with. Then use this configuration in the AUTH tab as described above instead of specifying these settings in the inspector and properties.