In your case, since Client X and Company Y do not have a direct trust relationship established, but that both X & Y trust Z as an independent third party to forward the Data. It would be better if Portal Z can provide a Digital Signature to Both X and Y, which allows them both to authenticate users without a formal agreement between them. This means you do not need to provide any username or passwords in your XML messages as the authentication will be done using Digital Signatures.
Also,since you are already using XML, considering incorporation of SAML (Security Assertion Markup Langauge) would help resolve most of your security issues.SAML allows companies to exchange authentication, authorization, and profile information securely regardless of platform. The idea of using SAML is to provide a common language for security between companies in B2B and B2C business transactions.
For more Information on SAML, you can refer following links.
Dig Deeper on Data management tutorials
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.