Ah, those are not steps, those are the two possible solutions I can think of to solve the problem.
Basically, to get authenticated, I need to submit two tokens. One is in a cookie I get from the server. I don't see that as a problem, I believe I can just set the test to maintain HTTP state and then it would maintain cookies. The challenge is that there is a second token that is generated server side and stuck inside a hidden form field. Now, a browser client would normally seemlessly transmit this cookie along with the username and password as web form data. The problem is that in SoapUI I am not a browser client, but I have to do a form submit as if I were. I've had a think since I've posted this, and here is what I think I need to do.
1.) Load the page
2.) Read the hidden form variable off the page and store it. (Essentially, parse the HTML response)
3.) make an http request with the user, password, and that hidden token sent as form data
4.) boom, done, authenticated
I believe that's what I need to do. I'm just not sure how to do it.
P.S. If it helps at all, this is the security system I am trying to test around: http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks