Metadata Mapping

The contents of a metadata document map to the metadata API in the ways explained in the following sections.

The following namespace prefixes are used throughout this documentation:

wsdl   => http://schemas.xmlsoap.org/wsdl/
soap11 => http://schemas.xmlsoap.org/wsdl/soap/
soap12 => http://schemas.xmlsoap.org/wsdl/soap12/
wsa09  => http://schemas.xmlsoap.org/ws/2004/08/addressing
wsa10  => http://www.w3.org/2005/08/addressing
wsa09p => http://schemas.xmlsoap.org/ws/2004/08/addressing/policy
wsa10p => http://www.w3.org/2006/05/addressing/wsdl
binp   => http://schemas.microsoft.com/ws/06/2004/mspolicy/netbinary1
mtomp  => http://schemas.xmlsoap.org/ws/2004/09/policy/optimizedmimeserialization
sp     => http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
wsp    => http://schemas.xmlsoap.org/ws/2004/09/policy
netf   => http://schemas.microsoft.com/ws/2006/05/framing/policy
httpp  => http://schemas.microsoft.com/ws/06/2004/policy/http
wst10  => http://schemas.xmlsoap.org/ws/2005/02/trust
wsi    => http://schemas.xmlsoap.org/ws/2005/05/identity

The subsequent sections describe API constructs along with what metadata constructs (WSDL or Policy) they correspond to.

Familiarity with metadata specifications such as WSDL and Policy will aid in understanding this section.

Endpoint address

The address of an endpoint (see WS_ENDPOINT_ADDRESS) is obtained from an extensibility element within the wsdl:port element of the WSDL document. The following extensibility elements are supported for specifying the address:

<wsdl:port...>
    <soap11:address.../>
</wsdl:port>
<wsdl:port...>
    <soap12:address.../>
</wsdl:port>
<wsdl:port...>
    <wsa09:EndpointReference.../>
</wsdl:port>
<wsdl:port...>
    <wsa10:EndpointReference.../>
</wsdl:port>

WS_CHANNEL_BINDING

The channel binding (see WS_CHANNEL_BINDING) is determined by the transport the soap binding used, as follows:

<soap:binding transport=&quot;http://schemas.microsoft.com/soap/tcp&quot;/> => WS_TCP_CHANNEL_BINDING
<soap:binding transport=&quot;http://schemas.xmlsoap.org/soap/http&quot;/> => WS_HTTP_CHANNEL_BINDING

WS_CHANNEL_PROPERTY_ENVELOPE_VERSION

The envelope version (see WS_CHANNEL_PROPERTY_ENVELOPE_VERSION) is determined by which soap binding is used, as follows:

<wsdl:binding...>
    <soap11:binding.../> => WS_ENVELOPE_VERSION_SOAP_1_1
</wsdl:binding>
<wsdl:binding...>
    <soap12:binding.../> => WS_ENVELOPE_VERSION_SOAP_1_2
</wsdl:binding>

Addressing Version

The addressing version (see WS_CHANNEL_PROPERTY_ADDRESSING_VERSION) is determined by the following assertions in the endpoint policy:

<wsp:Policy...>
    <wsa09p:UsingAddressing.../> => WS_ADDRESSING_VERSION_0_9
</wsp:Policy>
<wsp:Policy...>
    <wsa10p:UsingAddressing.../> => WS_ADDRESSING_VERSION_1_0
</wsp:Policy>

If an addressing assertion is not present, then WS_ADDRESSING_VERSION_TRANSPORT is assumed.

Message Encoding

The encoding of the message (see WS_CHANNEL_PROPERTY_ENCODING) is determined by the following assertions in the endpoint policy:

<wsp:Policy...>
    <binp:BinaryEncoding.../> => WS_ENCODING_XML_BINARY_SESSION_1, WS_ENCODING_XML_BINARY_1
</wsp:Policy>

Note that the binary encoding policy assertion does not include information about whether the binary encoding is sessionful or sessionless. This is determined by the encoding property constraint (which should be appropriate according to whether or not the WS_CHANNEL_TYPE being used is sessionful or not).

<wsp:Policy...>
    <mtomp:OptimizedMimeSerialization.../> => WS_ENCODING_XML_MTOM_UTF8, WS_ENCODING_XML_MTOM_UTF16LE, WS_ENCODING_XML_MTOM_UTF16BE
</wsp:Policy>

If neither of the above assertions are present, then a text encoding is used: WS_ENCODING_XML_UTF8, WS_ENCODING_XML_UTF16LE, WS_ENCODING_XML_UTF16BE.

Note that policy does not include information about the character set for MTOM or text encodings (whether it is UTF8, UTF16LE or UTF16BE). The actual character set value used is determined by the encoding property constraint.

Constraints with HTTP Header Authentication

This section applies when the WS_HTTP_HEADER_AUTH_SECURITY_BINDING_CONSTRAINT security binding constraint is specified.

This security binding is indicated in the policy by different assertions that states both that HTTP header authentication should be used, and that a particular authentication scheme should be used. The policy assertions correspond to the values of the WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME as follows:

<wsp:Policy...>
    <httpp:BasicAuthentication.../> => WS_HTTP_HEADER_AUTH_SCHEME_BASIC
</wsp:Policy>
<wsp:Policy...>
    <httpp:NegotiateAuthentication.../> => WS_HTTP_HEADER_AUTH_SCHEME_NEGOTIATE
</wsp:Policy>
<wsp:Policy...>
    <httpp:NtlmAuthentication.../> => WS_HTTP_HEADER_AUTH_SCHEME_NTLM
</wsp:Policy>
<wsp:Policy...>
    <httpp:DigestAuthentication.../> => WS_HTTP_HEADER_AUTH_SCHEME_DIGEST
</wsp:Policy>

Constraints with SLL Transport Security

This section applies when the WS_SSL_TRANSPORT_SECURITY_BINDING_CONSTRAINT security binding constraint is specified. The following policy assertions are used in this case:

<wsp:Policy...>
    <sp:TransportBinding...>
        <wsp:Policy...>
            <sp:TransportToken...>
                <wsp:Policy...>
                    <sp:HttpsToken.../>
            </wsp:Policy...>
        </wsp:Policy>
    </sp:TransportBinding...>
</wsp:Policy>

Constraints with SSPI Transport Security

This section applies when the WS_TCP_SSPI_TRANSPORT_SECURITY_BINDING_CONSTRAINT security binding constraint is specified. The following policy assertions are used in this case:

<wsp:Policy...>
    <sp:TransportBinding...>
        <wsp:Policy...>
            <sp:TransportToken...>
                <wsp:Policy...>
                    <netf:WindowsTransportSecurity.../>
            </wsp:Policy...>
        </wsp:Policy>
    </sp:TransportBinding...>
</wsp:Policy>

Constrains with Transport Security

The WS_SECURITY_PROPERTY_TRANSPORT_PROTECTION_LEVEL property constraint can be specified if any of the security binding constraints are specified:

Constraints with Kerberos APREQ Security Binding

This section applies when the WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING_CONSTRAINT security binding constraint is specified. The following policy assertions are used in this case:

<sp:EndorsingSupportingTokens...>
    <wsp:Policy>
        <sp:KerberosToken>
            <WssGssKerberosV5ApReqToken11.../>
        </sp:KerberosToken>
    </wsp:Policy>
</sp:EndorsingSupportingTokens>

Constraints with Message Security Binding

This section applies when the WS_USERNAME_MESSAGE_SECURITY_BINDING_CONSTRAINT security binding constraint is specified. The following policy assertions are used in this case:

<sp:SignedSupportingTokens>
    <wsp:Policy>
        <sp:UsernameToken.../>
    </wsp:Policy>
</sp:SignedSupportingTokens>

WS_CERT_MESSAGE_SECURITY_BINDING_CONSTRAINT

This section applies when the WS_CERT_MESSAGE_SECURITY_BINDING_CONSTRAINT security binding constraint is specified. The following policy assertions are used in this case:

<sp:EndorsingSupportingTokens>
    <wsp:Policy>
        <sp:X509Token.../>
   </wsp:Policy>
</sp:EndorsingSupportingTokens>

WS_ISSUED_TOKEN_MESSAGE_SECURITY_BINDING_CONSTRAINT

This section applies when the WS_ISSUED_TOKEN_MESSAGE_SECURITY_BINDING_CONSTRAINT security binding constraint is specified. The following policy assertions are used in this case:

<sp:EndorsingSupportingTokens...>
    <wsp:Policy>
        <sp:IssuedToken sp:IncludeToken=&quot;xs:anyURI&quot;? ...=&quot;&quot; >
            <wsp:Issuer>...</wsp:Issuer>?
            <wsp:RequestSecurityTokenTemplate TrustVersion='xs:anyURI&quot;?>
                ...
                <wst10:Claims>
                    <wsi:ClaimType Optional='xs:boolean'?>xs:anyURI<wt:ClaimType>*
                </wst10:Claims>
                ...
            </wsp:RequestSecurityTokenTemplate>
            <wsp:Policy>
                <sp:RequireDerivedKeys/> ?
                <sp:RequireExternalReference/> ?
                <sp:RequireInternalReference/> ?
            </wsp:Policy> ?
        </sp:IssuedToken>
    </wsp:Policy>
</sp:EndorsingSupportingTokens>

The following describes the mapping of fields of the WS_ISSUED_TOKEN_MESSAGE_SECURITY_BINDING_CONSTRAINT to the above policy:

  • The claimConstraints field is used to verify the set of claim type URIs that appear within the wsi:ClaimType element above.

  • The issuerAddress field corresponds to the wsp:Issuer element above, which is the WS_ENDPOINT_ADDRESS of the service that can issue the token.

  • The requestSecurityTokenTemplate field corresponds to the child elements of the wsp:RequestSecurityTokenTemplate element.

WS_SECURITY_CONTEXT_MESSAGE_SECURITY_BINDING_CONSTRAINT

This section applies when the WS_SECURITY_CONTEXT_MESSAGE_SECURITY_BINDING_CONSTRAINT security binding constraint is specified. The following policy assertions are used in this case:

<sp:EndorsingSupportingTokens...>
    <wsp:Policy>
        <sp:SecureConversationToken sp:IncludeToken=&quot;xs:anyURI&quot;? ...=&quot;&quot; >
            <wsp:Issuer>...</wsp:Issuer>?
            <wsp:Policy>
                <sp:RequireDerivedKeys.../>?
                <sp:RequireExternalUriReference.../>?
                <sp:SC10SecurityContextToken.../>? => WS_SECURE_CONVERSATION_VERSION_FEBRUARY_2005
                <sp:BootstrapPolicy... >?
                   <wsp:Policy> ...  </wsp:Policy> => WS_SECURITY_CONSTRAINTS
                </sp:BootstrapPolicy>
            </wsp:Policy>
        </wsp:SecureConversationToken>
    </wsp:Policy>
</sp:EndorsingSupportingTokens>

The entropy mode is determined by the <sp:Trust10> assertion. <sp:RequireClientEntropy/> and <sp:RequireServerEntropy/> => WS_SECURITY_KEY_ENTROPY_MODE_COMBINED <sp:RequireClientEntropy/> => WS_SECURITY_KEY_ENTROPY_MODE_CLIENT_ONLY <sp:RequireServerEntropy/> => WS_SECURITY_KEY_ENTROPY_MODE_SERVER_ONLY

WS_REQUEST_SECURITY_TOKEN_PROPERTY_TRUST_VERSION

This section applies when the WS_ISSUED_TOKEN_MESSAGE_SECURITY_BINDING_CONSTRAINT security binding constraint is specified. The following policy assertions are used to identify the WS_TRUST_VERSION and associated options.

<sp:Trust10> => WS_TRUST_VERSION_FEBRUARY_2005
    <sp:Policy>
        <sp:MustSupportClientChallenge/> ?
        <sp:MustSupportServerChallenge/> ?
        <sp:RequireClientEntropy/> ?
        <sp:RequireServerEntropy/> ?
        <sp:MustSupportIssuedTokens/> ?
    </sp:Policy>
</sp:Trust10>

The trust version can be specified using the WS_REQUEST_SECURITY_TOKEN_PROPERTY_CONSTRAINT with a property id of WS_REQUEST_SECURITY_TOKEN_PROPERTY_TRUST_VERSION.

WS_SECURITY_PROPERTY_SECURITY_HEADER_VERSION

This section applies when any of the following binding constraints are used:

The header security version (as specified by WS_SECURITY_PROPERTY_SECURITY_HEADER_VERSION) is determined by one of the following policy assertions:

<wsp:Wss10> ... </wsp:Wss10> => WS_SECURITY_HEADER_VERSION_1_0
<wsp:Wss11> ... </wsp:Wss11> => WS_SECURITY_HEADER_VERSION_1_1

Constraints with Header Security Layout

This section applies when any of the following binding constraints are used:

The security header layout (as specified by WS_SECURITY_PROPERTY_SECURITY_HEADER_LAYOUT) is determined by one of the following policy assertions:

<sp:TransportBinding>
    <wsp:Policy>
        <sp:Layout>
            <sp:Lax.../> => WS_SECURITY_HEADER_LAYOUT_LAX
        </sp:Layout>
    </wsp:Policy>
</sp:TransportBinding>
<sp:TransportBinding>
    <wsp:Policy>
        <sp:Layout>
            <sp:Strict.../> => WS_SECURITY_HEADER_LAYOUT_STRICT
        </sp:Layout>
    </wsp:Policy>
</sp:TransportBinding>
<sp:TransportBinding>
    <wsp:Policy>
        <sp:Layout>
            <sp:LaxTsFirst.../> => WS_SECURITY_HEADER_LAYOUT_LAX_WITH_TIMESTAMP_FIRST
        </sp:Layout>
    </wsp:Policy>
</sp:TransportBinding>
<sp:TransportBinding>
    <wsp:Policy>
        <sp:Layout>
            <sp:LaxTsLast.../> => WS_SECURITY_HEADER_LAYOUT_LAX_WITH_TIMESTAMP_LAST
        </sp:Layout>
    </wsp:Policy>
</sp:TransportBinding>

Constraints with Timestamp Security

This section applies when any of the following binding constraints are used:

Whether or not a timestamp is included in the security header (as specified by WS_SECURITY_PROPERTY_TIMESTAMP_USAGE) is determined by the presence of the sp:IncludeTimestamp in the following location:

<sp:TransportBinding>
    <wsp:Policy>
        <sp:IncludeTimestamp.../>
    </wsp:Policy>
</sp:TransportBinding>

If the sp:IncludeTimestamp assertion is present, the value from policy is WS_SECURITY_TIMESTAMP_USAGE_ALWAYS.

If the sp:IncludeTimestamp assertion is not present, the value from policy is WS_SECURITY_TIMESTAMP_USAGE_NEVER.