At first thanks for all your responses.
Now I know, that my hands are really free when making the solution.
The only unclear process for me is the Agent/customer cooperation. I am thinking about an agent as a person on the phone, which is able to create itinerary/modify itinerary/realize a payment for me as a customer. I know, that in order to have the application secure enough, it is necessary to have the agent logged into the system (which can be done using NTLM, LDAP etc.), but this login differs from the login of the real customer, because the customer's login offers to the customer list HIS OWN existing data and use data from HIS OWN profile (eg. credit card list, name etc...). For me this all means:
1. Agent has to identify the customer somehow (eg. username=email and password - mandatory in order to have at least some security), which has a precondition in customer account existence
2. If the customer does not have an account, it is necessary to create one in order to allow to the customer the future possibility to list and change it's own data and handle customer's mileage account
3. When the agent creates an account for the customer (without password specification), the system will generate a password and all information will be send to the customer by email. As soon as the account is created, the agent works in context of the customer
I expect this should solve the problem completely.