Compartilhar via


Security Token Service Endpoint

Clients can request security tokens from the Security Token Service (STS) endpoint of FIM. The STS endpoint will challenge the user of the client application to confirm his or her identity. If the user provides satisfactory responses to all the challenges, then the STS will issue a security token to the client. That token can then be included in requests to the other endpoints of FIM to prove that the user of the client application has successfully responded to a certain series of challenges to confirm his or identity.

The STS endpoint of FIM implements mechanisms defined by the WS-Trust specification for requesting security tokens, issuing challenges to confirm a user's identity, and providing responses to those challenges. Specifically, a client can request a security token from the STS endpoint by sending the RequestSecurityToken (RST) element defined by the WS-Trust specification as input to the RST/Issue operation that is defined by that specification and implemented by the STS endpoint. In so doing, the client is expected to provide User Name security tokens as defined in the SOAP Message Security 1.1 specification.

The Password element of that User Name security token may have a value. Regardless, to challenge the user of the client application for additional confirmation of identity than is provided by the User Name token, the STS endpoint responds with the WS-Trust RequestSecurityTokenResponse (RSTR) element. The client application conveys the user's responses to such challenges by invoking the RSTR/Issue operation with a WS-Trust RequestSecurityTokenResponse element. The service may respond with additional challenges for confirmation of the user's identity, or, client's requirements for confirming the user's identity have been met, the STS will provide the security token to the client in a RequestSecurityTokenResponse element.

The behavior of the STS endpoint is illustrated here.

6dfb6654-43bb-4d7d-ab00-2b87239acc24

API

Clients can request security tokens from the STS endpoint of FIM by invoking its RST/Issue operation.

RST/Issue Operation

Signature

Refer to section 6 of the WS-Trust specification.

Parameters

Action Header

The value of the Action Header should be https://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue, as specified in Section 6 of the WS-Trust specification.

Security Header

Invocations of the RST/Issue operation of the STS endpoint must incorporate the Security header defined in the SOAP Message Security 1.1 specification and a User Name security token.

RequestSecurityToken Element

According to the WS-Trust specification, a request for a security token takes the form of the RequestSecurityToken element of the https://schemas.xmlsoap.org/ws/2005/02/trust namespace, which the specification defines. That element has several sub-elements. According to the WS-Trust specification, only one of those sub-elements, the RequestType sub-element, must always be present. It is left to implementers of the WS-Trust specification to decide whether the other sub-elements are required. For requests to the STS endpoint of the FIM Service, the required sub-elements of the RequestSecurityToken element are listed in the following table, together with definitions of the valid values for each sub-element.

Required RequestSecurityToken Sub-Elements
Sub-Element Meaning Valid Values

RequestType

The nature of the request.

https://schemas.xmlsoap.org/ws/2005/02/trust/Issue

AppliesTo

The purpose for which the requested security token is required.

A WS-Addressing Endpoint Reference element identifying the Web service endpoint at which the requested security token will be used.

Entropy

Entropy that will be used in creating the key to be incorporated in the requested security token.

A WS-Trust BinarySecret element, with the Type attribute value https://schemas.xmlsoap.org/ws/2005/02/trust/Nonce, incorporating a base64-encoded key represented as binary octets.

The optional sub-elements of the RequestSecurityToken element are shown in the following table, together with definitions of the valid values for each sub-element.

Optional RequestSecurityToken Sub-Elements
Sub-Element Meaning Valid Values

KeyType

The type of key to be incorporated in the requested security token.

https://schemas.xmlsoap.org/ws/2005/02/trust/

SymmetricKey

KeySize

The size of the key to be incorporated in the requested security token, specified in number of bits.

256

CanonicalizationAlgorithm

The canonicalization method that will be used in the returned token.

http://www.w3.org/2001/10/xml-exc-c14n#

EncyrptionAlgorithm

The encryption algorithm that will be used in the returned token.

http://www.w3.org/2001/04/xmlenc#aes256-cbc

EncryptWith

The encryption algorithm that will be used in requests incorporating the issued security token.

http://www.w3.org/2001/04/xmlenc#aes256-cbc

SignWith

The signature algorithm that will be used in requests incorporating the issued security token.

http://www.w3.org/2000/09/xmldsig#hmac-sha1

ComputedKeyAlgorithm

The algorithm to use in computed keys incorporated in the issued security token.

https://schemas.xmlsoap.org/ws/2005/02/trust/

CK/PSHA1

Example

The following SOAP message is an example of a request for a security token to the STS endpoint of FIM.

Sample request for a security token context
<s:Envelope 
  xmlns:s=‘http://www.w3.org/2003/05/soap-envelope' 
  xmlns:wsa=‘https://schemas.xmlsoap.org/ws/2004/08/addressing' 
  xmlns:wst=‘https://schemas.xmlsoap.org/ws/2005/02/trust'
  xmlns:wsse='https://schemas.xmlsoap.org/ws/2002/04/secext'
  xmlns:wssu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
  …
  <s:Header>
    …
    <wsa:Action>
      https://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
    </wsa:Action>
    …
    <wsse:Security>
      <wsse:UsernameToken>
        <wsse:Username>ssmith</wsse:Username>
      </wsse:UsernameToken>
    </wsse:Security>
    …
  </s:Header>
  <s:Body>
    <wst:RequestType>
      https://schemas.xmlsoap.org/ws/2005/02/trust/Issue
    </wst:RequestType>
    <wst:AppliesTo>
      <wsa:EndpointReference>
        <wsa:Address>
            http://www.woodgrove.com:5725/IdentityManagementService/Resource
        </wsa:Address>
      </wsa:EndpointReference>
    </wst:AppliesTo>
    <wst:Entropy>
      <wst:BinarySecret 
        wssu:Id='uuid-8f817169-b97b-49a0-9ce9-bf2448b16260-14'
        Type='https://schemas.xmlsoap.org/ws/2005/02/trust/Nonce>
        jFF5uK5ZhZfBqA/XaIAO7y6hFHkugnM5N4W3Otdc+t0=
      </wst:BinarySecret>
    </wst:Entropy>
  </s:Body>
</s:Envelope>

Return Values

Action Header

The value of the Action Header must be https://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue, as specified in Section 6 of the WS-Trust specification.

Context Header

Responses to invocations of the operations of the STS endpoint of FIM may incorporate the Context Header. Any Context header incorporated in the header of the response to the RST/Issue operation must be included in the headers of subsequent requests in the same session.

Request Security Token Response Element

Section 10 of the WS-Trust specification defines a mechanism by which an STS may challenge a client for information to authenticate a user's identity. The STS endpoint of FIM may use that mechanism to obtain the proof of the user's identity that it requires before issuing any security context token that a client may request on a user's behalf.

Specifically, if the STS endpoint requires additional information to authenticate a user's identity, then it will respond to a RequestSecurityTokenRequest message by using a RequestSecurityTokenResponse message as defined by the WS-Trust specification. That message will incorporate a RequestSecurityTokenResponse element that may include an authentication challenge. How the authentication challenge is structured is left to the implementer of the WS-Trust specification to define.

Challenges Incorporated within RequestSecurityTokenResponse elements returned by the STS endpoint of FIM will take the form defined by the Challenge schema in the following example. Important elements of that schema are explained in the subsequent table.

Challenge Schema
<?xml version=‘1.0' encoding=‘utf-8'?>
<xs:schema 
  elementFormDefault=‘qualified'   
  targetNamespace=‘https://schemas.microsoft.com/2006/11/IdentityManagement'
  xmlns:xs=‘http://www.w3.org/2001/XMLSchema'
  xmlns:wsa=https://schemas.xmlsoap.org/ws/2004/08/addressing
  xmlns:rm=‘https://schemas.microsoft.com/2006/11/ResourceManagement'>
  <xs:import 
    namespace=‘https://schemas.xmlsoap.org/ws/2004/08/addressing'/>
  <xs:complexType name=‘AuthenticationChallengeType'>
    <xs:sequence>
      <xs:element 
      name=‘Challenge' 
      nillable=‘true' 
      minOccurs=‘0'>
        <xs:complexType>
          <xs:sequence>
            <xs:any 
              minOccurs=‘0' 
              processContents=‘lax' />
          </xs:sequence>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
  </xs:complexType>
  <xs:element 
    name=‘AuthenticationChallenge' 
    nillable=‘true' 
    type=‘rm:AuthenticationChallengeType' />
</xs:schema>
Challenge Schema
Element Description

Challenge

Provides the client application with the information that it needs to challenge the user to provide the required authentication data.

AuthenticationChallenge

Wrapper

Example

The following SOAP message shows a hypothetical response from the STS endpoint requesting additional information to confirm the user's identity. Elements specific to the FIM implementation are in bold. Elements that are not constrained by this specification are indicated with ellipses.

The following XML example shows a hypothetical response to a request for a security context token requesting additional authentication information.

Response to a request for a security context token
<s:Envelope 
  xmlns:s=‘http://www.w3.org/2003/05/soap-envelope' 
  xmlns:wsa=‘https://schemas.xmlsoap.org/ws/2004/08/addressing' 
  xmlns:wst=‘https://schemas.xmlsoap.org/ws/2005/02/trust'
  xmlns:wsu=‘https://schemas.xmlsoap.org/ws/2002/07/utility'
  xmlns:wsc=‘https://schemas.microsoft.com/ws/2006/05/context'  xmlns:rm=‘https://schemas.microsoft.com/2006/11/ResourceManagement' >
  <s:Header>
    <wsa:To>
      http://www.woodgrove.com/sender
    </wsa:To>
    <wsa:Action>      
      https://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
    </wsa:Action>
    <wsa:MessageID>
      uuid:0000010e-0000-0000-C000-000000000048
    </wsa:MessageID>
    <wsa:RelatesTo>
      uuid:00000000-0000-0000-C000-000000000048
    </wsa:RelatesTo>
    <wsc:Context>      <wsc:InstanceId>19bc8ea5-27f8-4136-97a2-3699697fd271</wsc:InstanceId>    </wsc:Context>
  </s:Header>
  <s:Body>
    <wst:RequestSecurityTokenResponse>
      <rm:AuthenticationChallenge>        <rm:Challenge>          …        </rm:Challenge>      </rm:AuthenticationChallenge>
    </wst:RequestSecurityTokenResponse>
  </s:Body>
</s:Envelope>

RSTR/Issue Operation

Clients can respond to authentication challenges issued by the STS endpoint in response to requests for security tokens by providing the requested authentication data as input to the endpoints RSTR/Issue operation.

Parameters

Action Header

The value of the Action Header must be https://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue, specified in Section 6 of the WS-Trust specification.

Context Header

If the response to a request for a security token from the STS endpoint of FIM incorporated the Context Header, then responses to authentication challenges sent by way of the RSTR/Issue operation must include that Context header.

Request Security Token Response Element

Section 10 of the WS-Trust specification says that the client defines a mechanism by which an STS may challenge a client for information to authenticate a user's identity. The STS endpoint of FIM may use that mechanism to obtain the proof of the user's identity that it requires before issuing any security context token that a client may request on a user's behalf.

Section 10 of the WS-Trust specification says that a client can respond to an authentication challenge from an STS by incorporating the requested authentication information in a RequestSecurityTokenResponse element. How the information is to be structured within that element is left to the implementer of the WS-Trust specification to define. Clients of the FIM Service STS endpoint must structure their responses to authentication challenges in compliance with the Challenge Response schema listed in the following example. Important elements of that schema are explained in the subsequent table.

Challenge Response Schema
<?xml version=‘1.0' encoding=‘utf-8'?>
<xs:schema 
  elementFormDefault=‘qualified'   
  targetNamespace=‘https://schemas.microsoft.com/2006/11/IdentityManagement'
  xmlns:xs=‘http://www.w3.org/2001/XMLSchema'
  xmlns:wsa=https://schemas.xmlsoap.org/ws/2004/08/addressing
  xmlns:rm=‘https://schemas.microsoft.com/2006/11/ResourceManagement'>
  <xs:import 
    namespace=‘https://schemas.xmlsoap.org/ws/2004/08/addressing'/>
  <xs:complexType name=‘AuthenticationChallengeResponseType'>
    <xs:sequence>
      <xs:element 
      name=‘Response' 
      nillable=‘true' 
      minOccurs=‘0'>
        <xs:complexType>
          <xs:sequence>
            <xs:any 
              minOccurs=‘0' 
              processContents=‘lax' />
          </xs:sequence>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
  </xs:complexType>
  <xs:element 
    name=‘AuthenticationChallengeResponse' 
    nillable=‘true' 
    type=‘rm:AuthenticationChallengeResponseType' />
</xs:schema>
Challenge Response Schema Elements
Element Description

Response

Provides the STS with the authentication information demanded from the client application.

AuthenticationChallengeResponse

Wrapper

Example

The following SOAP example shows how a client that has requested a security context token from the STS endpoint may respond to a request from the service for additional information to authenticate the user. Elements that are highlighted are specific to the FIM Service implementation. Elements that are not constrained by this specification are indicated with ellipses.

Hypothetical response to a request from the STS endpoint for additional authentication information
<s:Envelope 
  xmlns:s=‘http://www.w3.org/2003/05/soap-envelope' 
  xmlns:wsa=‘https://schemas.xmlsoap.org/ws/2004/08/addressing' 
  xmlns:wst=‘https://schemas.xmlsoap.org/ws/2005/02/trust'
  xmlns:wsu=‘https://schemas.xmlsoap.org/ws/2002/07/utility'
  xmlns:wsc=‘https://schemas.microsoft.com/ws/2006/05/context'  xmlns:rm=‘https://schemas.microsoft.com/2006/11/ResourceManagement' >
  <s:Header>
    <wsa:To>
      http://www.woodgrove.com:5726/IdentityManagementService/SecurityTokenService 
    </wsa:To>
    <wsa:Action>      
      https://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
    </wsa:Action>
    <wsa:MessageID>
      uuid:0000010e-0000-0000-C000-000000000048
    </wsa:MessageID>
    <wsa:RelatesTo>
      uuid:00000000-0000-0000-C000-000000000048
    </wsa:RelatesTo>
    <wsc:Context>      <wsc:InstanceId>19bc8ea5-27f8-4136-97a2-3699697fd271</wsc:InstanceId>    </wsc:Context>
  </s:Header>
  <s:Body>
    <wst:RequestSecurityTokenResponse>
      <rm:AuthenticationChallengeResponse>        …      </rm:AuthenticationChallengeResponse>
    </wst:RequestSecurityTokenResponse>
  </s:Body>
</s:Envelope>

Return Values

Action Header

The value of the Action header must be https://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue, specified in Section 6 of the WS-Trust specification.

Context Header

Any Context Header incorporated in the header of the response to the RSTR/Issue operation must be included in the headers of subsequent requests in the same session.

Request Security Token Response Element

If the STS endpoint requires additional confirmation of the user's identity, then its response will incorporate an authentication challenge, structured in compliance with the Challenge schema listed earlier. Otherwise, the STS endpoint will provide a RequestSecurityTokenResponse element incorporating the requested security token, as shown in the following example.

Hypothetical response to a request for a security context token, providing the requested token
<s:Envelope 
  xmlns:s=‘http://www.w3.org/2003/05/soap-envelope' 
  xmlns:wsa=‘https://schemas.xmlsoap.org/ws/2004/08/addressing' 
  xmlns:wst=‘https://schemas.xmlsoap.org/ws/2005/02/trust'
  xmlns:wsu=‘https://schemas.xmlsoap.org/ws/2002/07/utility'
  xmlns:xenc=‘http://www.w3.org/2001/04/xmlenc'
  xmlns:dsig='http://www.w3.org/2000/09/xmldsig'
  xmlns:secxt='http://docs.oasis-openorg/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
  xmlns:secu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
  …
  xmlns:rm=‘https://schemas.microsoft.com/2006/11/ResourceManagement' >
  <s:Header>
    …
    <wsa:Action>      
      https://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
    </wsa:Action>
    …
  </s:Header>
  <s:Body>
    <wst:RequestSecurityTokenResponse>
      <wst:TokenType>
          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
      </wst:TokenType>
      <wst:RequestedSecurityToken>
        <saml:Assertion 
          MajorVersion=‘1' 
          MinorVersion=‘1' 
          AssertionID=‘_839c3252-a17c-4ada-9a7e-563e2792674b' 
          Issuer=‘Woodgrove' 
          IssueInstant=‘2007-03-10T19:34:16.654Z' xmlns:saml=‘urn:oasis:names:tc:SAML:1.0:assertion'>
          …
        </saml:Assertion>
      </wst:RequestedSecurityToken>
      <wst:RequestedAttachedReference>
        <secxt:SecurityTokenReference>
          <secxt:KeyIdentifier 
         ValueType='http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID'>
            _839c3252-a17c-4ada-9a7e-563e2792674b
          </secxt:KeyIdentifier>
        </secxt:SecurityTokenReference>
      </wst:RequestedAttachedReference>
      <wst:RequestedUnattachedReference>
        <secxt:SecurityTokenReference>
          <secxt:KeyIdentifier 
         ValueType='http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID'>
            _839c3252-a17c-4ada-9a7e-563e2792674b
          </secxt:KeyIdentifier>
        </secxt:SecurityTokenReference>
      </wst:RequestedUnattachedReference>
      <wst:RequestedProofToken>
        <wst:ComputedKey>
          https://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
        </ComputedKey>
      </wst:RequestedProofToken>
      <wst:Entropy>
        <wst:BinarySecret 
          secu:Id='uuid-72856c87-f49d-4ef0-86fe-f4b5affbbcc6-10>
          U7Qs2MTieDz4e0lYMlwzzyF8JbcXI7nPNh22A2/hsfY=
        </wst:BinarySecret>
      </wst:Entropy>
    </wst:RequestSecurityTokenResponse>
  </s:Body>
</s:Envelope>

The sub-elements of the RequestSecurityTokenResponse element by which the security token will be conveyed are defined by the WS-Trust specification. Clarifications of those elements are included in the following table.

Sub-elements of a Request Security Token Response Element Incorporating a Security Token
Sub-Element Meaning Expected Values

TokenType

The type of the security token.

http://docs.oasis-open.org/wss/

oasis-wss-saml-token-profile-1.1#SAMLV1.1, to signify a SAML 1.1 token.

RequestedSecurityToken

Wrapper that contains the requested security token.

A SAML 1.1 token as defined by the SAML 1.1 specification.

RequestedAttached

Reference

Indicates how the client may refer to the security token when the client incorporates it in a message.

A SecurityReferenceToken element, as defined by the SOAP Message Security 1.1 specification that contains a KeyIdentifier element as defined by the same specification. The KeyIdentifier element will have a ValueType attribute value of http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID. The element will contain a SAML AssertionIDReference value.

RequestedUnattached

Reference

Indicates how to reference the token when it is not included in a message.

The same value as the RequestedAttachedReference sub-element.

RequestedProofToken

The proof-of-possession token associated with the requested security token.

A WS-Trust ComputedKey element that has the value https://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1, signifying that the key is to be computed from the value of the Entropy element by using the SHA-1 cryptographic hash function.

Entropy

Entropy that will be used in creating the key from the requested security token.

A WS-Trust BinarySecret element that has an ID attribute and incorporates a base64-encoded key represented as binary octets.

The security tokens issued by the STS endpoint of the FIM Service are the SAML 1.1 tokens defined by the SAML 1.1 specification. A sample is shown in the following example. Expected values for the various nodes of the tokens issued by the STS endpoint are provided in the subsequent table.

Sample SAML 1.1 Token Issued by the STS Endpoint
<saml:Assertion 
  MajorVersion=‘1' 
  MinorVersion=‘1' 
  AssertionID=‘_839c3252-a17c-4ada-9a7e-563e2792674b' 
  Issuer=‘Woodgrove' 
  IssueInstant=‘2007-03-10T19:34:16.654Z' 
  xmlns:saml=‘urn:oasis:names:tc:SAML:1.0:assertion'
  xmlns:wsa=‘https://schemas.xmlsoap.org/ws/2004/08/addressing' 
  xmlns:wst=‘https://schemas.xmlsoap.org/ws/2005/02/trust'
  xmlns:wsu=‘https://schemas.xmlsoap.org/ws/2002/07/utility'
  xmlns:xenc=‘http://www.w3.org/2001/04/xmlenc'
  xmlns:dsig='http://www.w3.org/2000/09/xmldsig'
  xmlns:secxt='http://docs.oasis-openorg/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
  xmlns:secu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
  <saml:Conditions 
    NotBefore=‘2007-03-10T19:29:16.654Z' 
    NotOnOrAfter=‘2007-03-11T05:34:16.654Z'>
  </saml:Conditions>
  <saml:Advice/>
  <saml:AttributeStatement>
    <saml:Subject>
      <saml:SubjectConfirmation>
        <saml:ConfirmationMethod>
          urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
        </saml:ConfirmationMethod>
        <dsig:KeyInfo>
          <xenc:EncryptedKey>
            …
          </xenc:EncryptedKey>
        </dsig:KeyInfo>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Attribute 
      AttributeName='…' 
      AttributeNamespace='…'>
      <saml:AttributeValue>
        …
      </saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
  <dsig:Signature>
    …
  <dsig:Signature>
</saml:Assertion>    
Nodes of a SAML 1.1 Token Issued by FIM Service STS Endpoint
Node Meaning Expected Values

Conditions

Constrain the validity of the assertions in the token.

A NotBefore attribute value giving the time when the token was issued.

A NotOnOrAfter attribute value giving a time that is a configurable period of time after the token was issued. By default, the value of the NotOnOrAfter value is 5 minutes after the time given b the NotBefore attribute value.

Advice

Information provided by the STS endpoint.

Any valid value allowed by the SAML 1.1 specification.

AttributeStatement

A statement by the STS about attributes that apply to the user of the client application to which the token is issued.

A SAML Subject element, as defined by the SAML 1.1 specification, by which the user to whom the token was issued may be identified.

Zero or more SAML Attribute elements, as defined by the SAML 1.1 specification, with claims that the STS asserts to be true of the subject identified by the Subject element.

Subject

Indicates how the user to whom the token was issued may be identified.

A SAML SubjectConfirmation element, as defined by the SAML 1.1 specification, by which the use to whom the token was issued may be authenticated.

SubjectConfirmation

Provides information by which the user to whom the token was issued may be identified.

A SAML ConfirmationMethod element, as defined by the SAML 1.1 specification, with the value, urn:oasis:names:tc:SAML:1.0:cm:holder-of-key. That value is defined in the SAML 1.1 bindings and signifies that the user to whom the token was issued can be authenticated by his or her possession of a key.

A KeyInfo element as defined by the SOAP Message Security 1.1 specification, with information about the key by which the user to whom the token was issued can be authenticated.

Attribute

Attributes that the STS endpoint claims apply to the user to whom the token was issued

The content of any SAML Attribute elements in the SAML token are not constrained by the specification of the FIM Service STS endpoint. However, they are constrained by applications of that endpoint. See Message-Specific Authentication.

Signature

Enveloped digital signature of the SAML Assertion element.

A Signature element as defined by the SOAP Message Security 1.1 specification.

A sample response from the STS endpoint issuing a requested security token is given here.

Hypothetical response to a request for a security context token, providing the requested token
<s:Envelope 
  xmlns:s=‘http://www.w3.org/2003/05/soap-envelope' 
  xmlns:wsa=‘https://schemas.xmlsoap.org/ws/2004/08/addressing' 
  xmlns:wst=‘https://schemas.xmlsoap.org/ws/2005/02/trust'
  xmlns:wsu=‘https://schemas.xmlsoap.org/ws/2002/07/utility'
  xmlns:xenc=‘http://www.w3.org/2001/04/xmlenc'
  xmlns:dsig='http://www.w3.org/2000/09/xmldsig'
  xmlns:saml='urn:oasis:names:tc:SAML:1.0:assertion'
  xmlns:secxt='http://docs.oasis-openorg/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
  xmlns:secu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
  xmlns:wsc=‘https://schemas.microsoft.com/ws/2006/05/context'
  xmlns:rm=‘https://schemas.microsoft.com/2006/11/ResourceManagement' >
  <s:Header>
    <wsa:To>
      http://www.woodgrove.com/sender
    </wsa:To>
    <wsa:Action>      
      https://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
    </wsa:Action>
    <wsa:MessageID>
      uuid:0000010e-0000-0000-C000-000000000048
    </wsa:MessageID>
    <wsa:RelatesTo>
      uuid:00000000-0000-0000-C000-000000000048
    </wsa:RelatesTo>
    <wsc:Context>
      <wsc:InstanceId>19bc8ea5-27f8-4136-97a2-3699697fd271</wsc:InstanceId>
    </wsc:Context>
  </s:Header>
  <s:Body>
    <wst:RequestSecurityTokenResponse>
      <wst:TokenType>
          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
      </wst:TokenType>
      <wst:RequestedSecurityToken>
        <saml:Assertion 
          MajorVersion=‘1' 
          MinorVersion=‘1' 
          AssertionID=‘_839c3252-a17c-4ada-9a7e-563e2792674b' 
          Issuer=‘Woodgrove' 
          IssueInstant=‘2007-03-10T19:34:16.654Z'>
          <saml:Conditions 
            NotBefore=‘2007-03-10T19:29:16.654Z' 
            NotOnOrAfter=‘2007-03-11T05:34:16.654Z'>
          </saml:Conditions>
          <saml:Advice/>
          <saml:AttributeStatement>
            <saml:Subject>
              <saml:SubjectConfirmation>
                <saml:ConfirmationMethod>
                  urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
                </saml:ConfirmationMethod>
                <dsig:KeyInfo>
                  <xenc:EncryptedKey>
                    <xenc:EncryptionMethod 
                      Algorithm=‘http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'>
                      <dsig:DigestMethod 
                        Algorithm=‘http://www.w3.org/2000/09/xmldsig#sha1'>
                      </dsig:DigestMethod>
                    </xenc:EncryptionMethod>
                    <sdsig:KeyInfo>
                      <secxt:SecurityTokenReference>
                        <secxt:KeyIdentifier 
       ValueType='http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1'>
                        hMvIhAF+Ptszt/a/Yh72b5Ay8vA=
                        </secxt:KeyIdentifier>
                       </secxt:SecurityTokenReference>
                    </sdsigKeyInfo>
                    <xenc:CipherData>
                      <xenc:CipherValue> sWxsecx/N+sBeUm+L2hj2MOwXOu9ZsdmhqygJkZwwFjVcynHhqpCp2Y1DIZysc+BlbYBVnwHHGWG8EsP4f6HyuEAvCkTyf+4ZasQ/YZTn7eGgjCSFvu5hpuWfEIx3Ydgdbu68ThNcMM3u15D/KNqwhxGsk5gU5aCKwelgMBT4=
                      </xenc:CipherValue>
                    </xenc:CipherData>
                  </xenc:EncryptedKey>
                </dsig:KeyInfo>
              </saml:SubjectConfirmation>
            </saml:Subject>
            <saml:Attribute 
            AttributeName='authenticationProcess' 
            AttributeNamespace='https://schemas.microsoft.com/2006/11/IdentityManagement'>
             <saml:AttributeValue Type='rm:GUID'>
               11111111-1111-1111-1111-111111111111
             </saml:AttributeValue>
            </saml:Attribute>                   
          </saml:AttributeStatement>
          <dsig:Signature>
            <dsig:SignedInfo>
              <dsig:CanonicalizationMethod 
                Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'>
              </dsig:CanonicalizationMethod>
              <dsig:SignatureMethod 
                Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'>
              </dsig:SignatureMethod>
              <dsig:Reference 
                URI='#_839c3252-a17c-4ada-9a7e-563e2792674b'>
                <dsig:Transforms>
                  < dsig:Transform 
                    Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'>
                  </dsig:Transform>
                  < dsig:Transform 
                    Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'
                  </dsig:Transform>
                </ dsig:Transforms>
                < dsig:DigestMethod 
                  Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'>
                </ dsig:DigestMethod>
                <dsig:DigestValue>
                  hoBl5Sjg/LxjMHjgr3DjJ5i6AKE=
                </dsig:DigestValue>
              </ dsig:Reference>
            </ dsig:SignedInfo>
            <dsig:SignatureValue>
SGCWX41FTM5/g+OvUKR1uJWfdaf1micKAScX6tSMBkzPwBzBZv+m
qAYETPlmAamvlGxLb2lITPovjpAR9Zt3T3ODBpP8pHQkkxEdE3BcilrHcFL0KCNzIWIry/W4mp9Gxzu5
noFhyAY+83nKTyd8W6Gr+F4qEAzlIMa8e/TDLeY=
            </dsig:SignatureValue>
            <dsig:KeyInfo>
              <secxt:SecurityTokenReference>
                <secxt:KeyIdentifier 
ValueType='http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1'>
                  hMvIhAF+Ptszt/a/Yh72b5Ay8vA=
                </secxt:KeyIdentifier>
              </secxt:SecurityTokenReference>
            </dsig:KeyInfo>
          </dsig:Signature> 
          <dsig:Signature>
        </saml:Assertion>    
      </wst:RequestedSecurityToken>
      <wst:RequestedAttachedReference>
        <secxt:SecurityTokenReference>
          <secxt:KeyIdentifier 
         ValueType='http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID'>
            _839c3252-a17c-4ada-9a7e-563e2792674b
          </secxt:KeyIdentifier>
        </secxt:SecurityTokenReference>
      </wst:RequestedAttachedReference>
      <wst:RequestedUnattachedReference>
        <secxt:SecurityTokenReference>
          <secxt:KeyIdentifier 
         ValueType='http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID'>
            _839c3252-a17c-4ada-9a7e-563e2792674b
          </secxt:KeyIdentifier>
        </secxt:SecurityTokenReference>
      </wst:RequestedUnattachedReference>
      <wst:RequestedProofToken>
        <wst:ComputedKey>
          https://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
        </ComputedKey>
      </wst:RequestedProofToken>
      <wst:Entropy>
        <wst:BinarySecret 
          secu:Id='uuid-72856c87-f49d-4ef0-86fe-f4b5affbbcc6-10>
          U7Qs2MTieDz4e0lYMlwzzyF8JbcXI7nPNh22A2/hsfY=
        </wst:BinarySecret>
      </wst:Entropy>
    </wst:RequestSecurityTokenResponse>
  </s:Body>
</s:Envelope>

Default Endpoint

The default endpoint address is http://Localhost5726/SecurityTokenService/Intranet.

Exceptions

Refer to the WS-Trust specification.

Remarks

The FIM web service only accepts UTF-8 encoding of strings and SOAP messages. Other encodings will be converted to UTF-8 if possible. If an encoding cannot be converted to UTF-8 then the web service will return wxf:InvalidRepresentationFault (see WS-Transfer Extensions for Identity Management Operations specification).

See Also

Concepts

Web Services Overview