3.3.4.1.1 Token Request
The following is a token request that is sent to an STS. The required elements and values are specified after the token request.
-
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:auth="http://schemas.xmlsoap.org/ws/2006/12/authorization" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <s:Header> <a:To s:mustUnderstand="1" u:Id="_1">https://login.live-int.com:44329/liveidSTS.srf</a:To> <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action> <a:MessageID>urn:uuid:64f95d31-e078-4f2e-8bb2-d8e6e183a1f0</a:MessageID> <a:ReplyTo> <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address> </a:ReplyTo> <o:Security s:mustUnderstand="1"> <u:Timestamp u:Id="_0"> <u:Created>2009-09-24T17:34:08Z</u:Created> <u:Expires>2009-09-24T17:39:08Z</u:Expires> </u:Timestamp> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_1"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>Y6HYkPrH5NqSrdcLg8AYXDphZ74=</DigestValue> </Reference> <Reference URI="#_0"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>1Taikh1jTPazJ2KnVddUmByNd/s=</DigestValue> </Reference> </SignedInfo> <SignatureValue>dbpePnJ3w7i6Ro09jhxzd60HKt3ssZPuSWVk … ==</SignatureValue> <KeyInfo> <o:SecurityTokenReference> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">sUwVAnqj8qmOw5IJ7L0Z7s8fEh4=</o:KeyIdentifier> </o:SecurityTokenReference> </KeyInfo> </Signature> </o:Security> </s:Header> <s:Body> <t:RequestSecurityToken Id="uuid-e067aa03-623a-4120-b8d9-64b60e8f1104"> <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType> <t:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType> <t:KeySize>256</t:KeySize> <t:CanonicalizationAlgorithm>http://www.w3.org/2001/10/xml-exc-c14n#</t:CanonicalizationAlgorithm> <t:EncryptionAlgorithm>http://www.w3.org/2001/04/xmlenc#aes256-cbc</t:EncryptionAlgorithm> <t:EncryptWith>http://www.w3.org/2001/04/xmlenc#aes256-cbc</t:EncryptWith> <t:SignWith>http://www.w3.org/2000/09/xmldsig#hmac-sha1</t:SignWith> <t:ComputedKeyAlgorithm>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1</t:ComputedKeyAlgorithm> <wsp:AppliesTo> <a:EndpointReference> <a:Address>http://fabrikam.com</a:Address> </a:EndpointReference> </wsp:AppliesTo> <t:OnBehalfOf> <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="saml-6c5a4142-8257-4efa-8b45-491feee53159" Issuer="contoso.com" IssueInstant="2009-09-24T17:34:09.095Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:Conditions NotBefore="2009-09-24T17:34:09.079Z" NotOnOrAfter="2009-09-24T17:39:09.079Z"> <saml:AudienceRestrictionCondition> <saml:Audience>uri:WindowsLiveID</saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions> <saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier Format="http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID">A0/HqOjr7EOU8HUUv2Tgfg==@contoso.com</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> <saml:Attribute AttributeName="EmailAddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"> <saml:AttributeValue>joe@contoso.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2009-09-24T17:34:09.095Z"> <saml:Subject> <saml:NameIdentifier Format="http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID">A0/HqOjr7EOU8HUUv2Tgfg==@contoso.com</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#saml-6c5a4142-8257-4efa-8b45-491feee53159"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>2fQF5XM8cqkXR/DOd/TigD3c6YM=</DigestValue> </Reference> </SignedInfo> <SignatureValue>b+MQeAJwlIKGjoWgkE1+ookJ626nZ5 … ==</SignatureValue> <KeyInfo> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">sUwVAnqj8qmOw5IJ7L0Z7s8fEh4=</o:KeyIdentifier> </o:SecurityTokenReference> </KeyInfo> </Signature> </saml:Assertion> </t:OnBehalfOf> <auth:AdditionalContext> <auth:ContextItem Scope="http://schemas.xmlsoap.org/ws/2006/12/authorization/ctx/requestor" Name="http://schemas.microsoft.com/wlid/requestor"> <auth:Value>contoso.com</auth:Value> </auth:ContextItem> </auth:AdditionalContext> <t:Claims Dialect="http://schemas.xmlsoap.org/ws/2006/12/authorization/authclaims"> <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2006/12/authorization/claims/action"> <auth:Value>MSExchange.SharingCalendarFreeBusy</auth:Value> </auth:ClaimType> </t:Claims> <wsp:PolicyReference URI="EX_MBI_FED_SSL"></wsp:PolicyReference> </t:RequestSecurityToken> </s:Body> </s:Envelope>
The following attributes and elements are required.
/s:Envelope/s:Header/a:To The URI in this element is taken from the /Federation Metadata/Federation/TargetServiceEndpoint element of the federation metadata document provided by the STS.
/s:Envelope/s:Header/o:Security/u:Timestamp/u:Created The Coordinated Universal Time (UTC) time at which the request is made.
/s:Envelope/s:Header/o:Security/u:Timestamp/u:Expires The UTC time at which the offer for the authentication token expires. This is the create time plus a duration.<7>
/s:Envelope/s:Header/o:Security/Signature The standard signature of the To and Timestamp headers, as specified in [XMLDSig2].
/s:Envelope/s:Header/o:Security/Signature/Reference/DigestValue The digest value that is returned by the specified digest method of the previous To and Timestamp headers, as specified in [XMLDSig2].
/s:Envelope/s:Header/o:Security/Signature/SignatureValue The signature of the To and Timestamp headers, as specified in [XMLDSig2].
/s:Envelope/s:Header/o:Security/Signature/KeyInfo/o:SecurityTokenReference/o:KeyIdentifier The SubjectKeyIdentifier value of the X509 certificate that is associated with the organization and sent to the STS by using the CreateAppId operation, as specified in section 3.2.4.2, or UpdateAppIdCertificate operation, as specified in section 3.2.4.7.
/s:Envelope/s:Body/s:RequestSecurityToken/wsp:AppliesTo/a:EndpointReference/a:Address The URI of the organization to which the token will be sent.
/s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/saml:Assertation Attributes of the saml:Assertation element, as shown in the following table.
Attribute
Value
AssertationId
A unique identifier that identifies this specific token request.
Issuer
The URI of the organization that is requesting the token. This URI is the same as the value that is sent to the STS with the AddUri operation,<8> as specified in section 3.2.4.1.
IssueInstant
The UTC date and time that the request is made.
/s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/saml:Conditions Attributes of the saml:Conditions element, as shown in the following table.
Attribute |
Value |
---|---|
NotBefore |
The UTC date and time that the request is made. |
NoOnOrAfter |
The UTC date and time that the offer expires. |
/s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/saml:Conditions/saml:AudienceRestrictionCondition/saml:Audience MUST be set to the URI of the STS.<9>
/s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/saml:AttributeStatement/saml:Subject/saml:NameIdentifier The Format attribute of the saml:NameIdentifier element MUST be set to an identifier of the user for whom the token is requested.<10>
s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/saml:AttributeStatement/saml:Attribute An attribute MUST be set to the e-mail address of the user for whom the token is requested. The AttributeName MUST be "EmailAddress".
/s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/saml:AttributeStatement/saml:Attribute/saml:AttributeValue The e-mail address of the user for whom the token is requested. The domain part of the e-mail address MUST be one of the URI values previously registered with the AddUri operation, as specified in section 3.2.4.1.
/s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/saml:AuthenticationStatement/saml:Subject/saml:NameIdentifier The Format attribute of the saml:NameIdentifier element MUST be set to an identifier of the user for whom the token is requested. The identifier MUST be the same as the /s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/saml:AttributeStatement/saml:subject/saml:NameIdentifier element value.<11>
/s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/saml:AuthenticationStatement/saml:Signature The Signature element is set to the standard XML signature of the OnBehalfOf element, as specified in [XMLDSig2]. Expected values for elements of the Signature element are as follows:
/s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/saml:AuthenticationStatement/saml:Signature/KeyInfo/o:KeyIdentifier MUST be the SubjectKeyIdentifier element of the X509 certificate that is used when calling the CreateAppId operation, as specified as in section 3.2.4.2.
/s:Envelope/s:Body/t:RequestSecurityToken/auth:AdditionalContext/auth:ContextItem A ContextItem element with the Scope attribute set to "http://schemas.xmlsoap.org/ws/2006/12/authorization/ctx/requestor" and the name element set to "http://schemas.microsoft.com/wild/requestor" MUST be present.
/s:Envelope/s:Body/t:RequestSecurityToken/auth:AdditionalContext/auth:ContextItem/auth:Value MUST be set to the same URI as the value used for the Issuer attribute of the /s:Envelope/s:Body/t:RequestSecuritToken/t:OnBehalfOf/saml:Assertation element.
/s:Envelope/s:Body/t:RequestSecurityToken/t:Claims The request MUST contain a t:Claims element with the Dialect attribute value set to "http://schemas.xmlsoap.org/ws/2006/12/authorization/authclaims" and containing at least one auth:ClaimType element.
/s:Envelope/s:Body/t:RequestSecurityToken/t:Claims/auth:ClaimType The request MUST contain an auth:ClaimType element with the Uri attribute value set to "http://schemas.xmlsoap.org/ws/2006/12/authorization/claims/action" and containing at least one auth:Value element.
/s:Envelope/s:Body/t:RequestSecurityToken/t:Claims/auth:ClaimType/auth:Value MUST be set to the name of the token requested. Can be any one of the following names.
MSExchange.SharingInviteMessage
MSExchange.SharingCalendarFreeBusy
MSExchange.SharingRead
MSExchange.DeliveryExternalSubmit
MSExchange.DeliveryInternalSubmit
MSExchange.MailboxMove
MSExchange.Autodiscover
MSExchange.CertificationWS
MSExchange.LicensingWS
/s:Envelope/s:Body/t:RequestSecurityToken/wsp:PolicyReference The request MUST contain one wsp:Policy element with the URI attribute value set to the token policy to use.<12>