Share via

3.3.4.1.1 Token Request

  • Article

The following is a token request that is sent to an STS. The required elements and values are specified after the token request.

 <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:auth="http://schemas.xmlsoap.org/ws/2006/12/authorization" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
   <s:Header>
     <a:To s:mustUnderstand="1" u:Id="_1">https://login.live-int.com:44329/liveidSTS.srf</a:To>
     <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
     <a:MessageID>urn:uuid:64f95d31-e078-4f2e-8bb2-d8e6e183a1f0</a:MessageID>
     <a:ReplyTo>
       <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
     </a:ReplyTo>
     <o:Security s:mustUnderstand="1">
       <u:Timestamp u:Id="_0">
         <u:Created>2009-09-24T17:34:08Z</u:Created>
         <u:Expires>2009-09-24T17:39:08Z</u:Expires>
       </u:Timestamp>
       <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
         <SignedInfo>
           <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
           <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
           <Reference URI="#_1">
             <Transforms>
               <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
             </Transforms>
             <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
             <DigestValue>Y6HYkPrH5NqSrdcLg8AYXDphZ74=</DigestValue>
           </Reference>
           <Reference URI="#_0">
             <Transforms>
               <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
             </Transforms>
             <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
             <DigestValue>1Taikh1jTPazJ2KnVddUmByNd/s=</DigestValue>
           </Reference>
         </SignedInfo>
         <SignatureValue>dbpePnJ3w7i6Ro09jhxzd60HKt3ssZPuSWVk … ==</SignatureValue>
         <KeyInfo>
           <o:SecurityTokenReference>
             <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">sUwVAnqj8qmOw5IJ7L0Z7s8fEh4=</o:KeyIdentifier>
           </o:SecurityTokenReference>
         </KeyInfo>
       </Signature>
     </o:Security>
   </s:Header>
   <s:Body>
     <t:RequestSecurityToken Id="uuid-e067aa03-623a-4120-b8d9-64b60e8f1104">
       <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
       <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType>
       <t:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType>
       <t:KeySize>256</t:KeySize>
       <t:CanonicalizationAlgorithm>http://www.w3.org/2001/10/xml-exc-c14n#</t:CanonicalizationAlgorithm>
       <t:EncryptionAlgorithm>http://www.w3.org/2001/04/xmlenc#aes256-cbc</t:EncryptionAlgorithm>
       <t:EncryptWith>http://www.w3.org/2001/04/xmlenc#aes256-cbc</t:EncryptWith>
       <t:SignWith>http://www.w3.org/2000/09/xmldsig#hmac-sha1</t:SignWith>
       <t:ComputedKeyAlgorithm>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1</t:ComputedKeyAlgorithm>
       <wsp:AppliesTo>
         <a:EndpointReference>
           <a:Address>http://fabrikam.com</a:Address>
         </a:EndpointReference>
       </wsp:AppliesTo>
       <t:OnBehalfOf>
         <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="saml-6c5a4142-8257-4efa-8b45-491feee53159" Issuer="contoso.com" IssueInstant="2009-09-24T17:34:09.095Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
           <saml:Conditions NotBefore="2009-09-24T17:34:09.079Z" NotOnOrAfter="2009-09-24T17:39:09.079Z">
             <saml:AudienceRestrictionCondition>
               <saml:Audience>uri:WindowsLiveID</saml:Audience>
             </saml:AudienceRestrictionCondition>
           </saml:Conditions>
           <saml:AttributeStatement>
             <saml:Subject>
               <saml:NameIdentifier Format="http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID">A0/HqOjr7EOU8HUUv2Tgfg==@contoso.com</saml:NameIdentifier>
               <saml:SubjectConfirmation>
                 <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
               </saml:SubjectConfirmation>
             </saml:Subject>
             <saml:Attribute AttributeName="EmailAddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
               <saml:AttributeValue>joe@contoso.com</saml:AttributeValue>
             </saml:Attribute>
           </saml:AttributeStatement>
           <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2009-09-24T17:34:09.095Z">
             <saml:Subject>
               <saml:NameIdentifier Format="http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID">A0/HqOjr7EOU8HUUv2Tgfg==@contoso.com</saml:NameIdentifier>
               <saml:SubjectConfirmation>
                 <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
               </saml:SubjectConfirmation>
             </saml:Subject>
           </saml:AuthenticationStatement>
           <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
             <SignedInfo>
               <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
               <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
               <Reference URI="#saml-6c5a4142-8257-4efa-8b45-491feee53159">
                 <Transforms>
                   <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                   <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                 </Transforms>
                 <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                 <DigestValue>2fQF5XM8cqkXR/DOd/TigD3c6YM=</DigestValue>
               </Reference>
             </SignedInfo>
             <SignatureValue>b+MQeAJwlIKGjoWgkE1+ookJ626nZ5 … ==</SignatureValue>
             <KeyInfo>
               <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                 <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">sUwVAnqj8qmOw5IJ7L0Z7s8fEh4=</o:KeyIdentifier>
               </o:SecurityTokenReference>
             </KeyInfo>
           </Signature>
         </saml:Assertion>
       </t:OnBehalfOf>
       <auth:AdditionalContext>
         <auth:ContextItem Scope="http://schemas.xmlsoap.org/ws/2006/12/authorization/ctx/requestor" Name="http://schemas.microsoft.com/wlid/requestor">
           <auth:Value>contoso.com</auth:Value>
         </auth:ContextItem>
       </auth:AdditionalContext>
       <t:Claims Dialect="http://schemas.xmlsoap.org/ws/2006/12/authorization/authclaims">
         <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2006/12/authorization/claims/action">
           <auth:Value>MSExchange.SharingCalendarFreeBusy</auth:Value>
         </auth:ClaimType>
       </t:Claims>
       <wsp:PolicyReference URI="EX_MBI_FED_SSL"></wsp:PolicyReference>
     </t:RequestSecurityToken>
   </s:Body>
 </s:Envelope>

The following attributes and elements are required.

  • /s:Envelope/s:Header/a:To   The URI in this element is taken from the /Federation Metadata/Federation/TargetServiceEndpoint element of the federation metadata document provided by the STS.

  • /s:Envelope/s:Header/o:Security/u:Timestamp/u:Created   The Coordinated Universal Time (UTC) time at which the request is made.

  • /s:Envelope/s:Header/o:Security/u:Timestamp/u:Expires   The UTC time at which the offer for the authentication token expires. This is the create time plus a duration.<7>

  • /s:Envelope/s:Header/o:Security/Signature   The standard signature of the To and Timestamp headers, as specified in [XMLDSig2].

  • /s:Envelope/s:Header/o:Security/Signature/Reference/DigestValue   The digest value that is returned by the specified digest method of the previous To and Timestamp headers, as specified in [XMLDSig2].

  • /s:Envelope/s:Header/o:Security/Signature/SignatureValue   The signature of the To and Timestamp headers, as specified in [XMLDSig2].

  • /s:Envelope/s:Header/o:Security/Signature/KeyInfo/o:SecurityTokenReference​/o:KeyIdentifier  The SubjectKeyIdentifier value of the X509 certificate that is associated with the organization and sent to the STS by using the CreateAppId operation, as specified in section 3.2.4.2, or UpdateAppIdCertificate operation, as specified in section 3.2.4.7.

  • /s:Envelope/s:Body/s:RequestSecurityToken/wsp:AppliesTo/a:EndpointReference​/a:Address   The URI of the organization to which the token will be sent.

  • /s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/saml:Assertation   Attributes of the saml:Assertation element, as shown in the following table.

    Attribute

    Value

    AssertationId

    A unique identifier that identifies this specific token request.

    Issuer

    The URI of the organization that is requesting the token. This URI is the same as the value that is sent to the STS with the AddUri operation,<8> as specified in section 3.2.4.1.

    IssueInstant

    The UTC date and time that the request is made.

  • /s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/saml:Conditions   Attributes of the saml:Conditions element, as shown in the following table.

Attribute

Value

NotBefore

The UTC date and time that the request is made.

NoOnOrAfter

The UTC date and time that the offer expires.

  • /s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/saml:Conditions/​saml:AudienceRestrictionCondition/saml:Audience   MUST be set to the URI of the STS.<9>

  • /s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/​saml:AttributeStatement/saml:Subject/saml:NameIdentifier   The Format attribute of the saml:NameIdentifier element MUST be set to an identifier of the user for whom the token is requested.<10>

  • s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/​saml:AttributeStatement/saml:Attribute  An attribute MUST be set to the e-mail address of the user for whom the token is requested. The AttributeName MUST be "EmailAddress".

  • /s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/​saml:AttributeStatement/saml:Attribute/saml:AttributeValue   The e-mail address of the user for whom the token is requested. The domain part of the e-mail address MUST be one of the URI values previously registered with the AddUri operation, as specified in section 3.2.4.1.

  • /s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/​saml:AuthenticationStatement/saml:Subject/saml:NameIdentifier   The Format attribute of the saml:NameIdentifier element MUST be set to an identifier of the user for whom the token is requested. The identifier MUST be the same as the /s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/​saml:AttributeStatement/saml:subject/saml:NameIdentifier element value.<11>

  • /s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/​saml:AuthenticationStatement/saml:Signature   The Signature element is set to the standard XML signature of the OnBehalfOf element, as specified in [XMLDSig2]. Expected values for elements of the Signature element are as follows:

    • /s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/​saml:AuthenticationStatement/saml:Signature/KeyInfo/o:KeyIdentifier   MUST be the SubjectKeyIdentifier element of the X509 certificate that is used when calling the CreateAppId operation, as specified as in section 3.2.4.2.

  • /s:Envelope/s:Body/t:RequestSecurityToken/auth:AdditionalContext/​auth:ContextItem   A ContextItem element with the Scope attribute set to "http://schemas.xmlsoap.org/ws/2006/12/authorization/ctx/requestor" and the name element set to "http://schemas.microsoft.com/wild/requestor" MUST be present.

  • /s:Envelope/s:Body/t:RequestSecurityToken/auth:AdditionalContext/​auth:ContextItem/auth:Value   MUST be set to the same URI as the value used for the Issuer attribute of the /s:Envelope/s:Body/t:RequestSecuritToken/t:OnBehalfOf/saml:Assertation element.

  • /s:Envelope/s:Body/t:RequestSecurityToken/t:Claims   The request MUST contain a t:Claims element with the Dialect attribute value set to "http://schemas.xmlsoap.org/ws/2006/12/authorization/authclaims" and containing at least one auth:ClaimType element.

  • /s:Envelope/s:Body/t:RequestSecurityToken/t:Claims/auth:ClaimType   The request MUST contain an auth:ClaimType element with the Uri attribute value set to "http://schemas.xmlsoap.org/ws/2006/12/authorization/claims/action" and containing at least one auth:Value element.

  • /s:Envelope/s:Body/t:RequestSecurityToken/t:Claims/auth:ClaimType/auth:Value   MUST be set to the name of the token requested. Can be any one of the following names.

    • MSExchange.SharingInviteMessage

    • MSExchange.SharingCalendarFreeBusy

    • MSExchange.SharingRead

    • MSExchange.DeliveryExternalSubmit

    • MSExchange.DeliveryInternalSubmit

    • MSExchange.MailboxMove

    • MSExchange.Autodiscover

    • MSExchange.CertificationWS

    • MSExchange.LicensingWS

  • /s:Envelope/s:Body/t:RequestSecurityToken/wsp:PolicyReference   The request MUST contain one wsp:Policy element with the URI attribute value set to the token policy to use.<12>