3.2 Web Ticket Service Server Details
The Web Ticket Service issues Web tickets using its IssueToken operation, which follows the protocol described in [WS-Trust1.3], except where indicated in section 3.2.4.1.1.1 and section 3.2.4.1.1.2.
Clients MUST authenticate to the Web Ticket Service using one of the following authentication protocols:
OCS-signed certificate authentication
Live ID authentication
OAuth2 authentication
Integrated Windows authentication follows the Kerberos and the NT LAN Manager (NTLM) Authentication Protocol, as specified in [RFC4559]. If Integrated Windows authentication fails, the errors defined in section 3.2.4.1 are returned.
Certificate (2) authentication signed by a user agent server (UAS) follows SOAP Message Security 1.1, as specified in [WSS], to validate an X.509 security token, as specified in [WSSX509TP]. If OCS-signed certificate (2) authentication fails, the errors defined in section 3.2.4.1 are returned. The certificate signed by the UAS can be obtained from the Certificate Provisioning Service described in section 3.1 of this document.
The Live ID token is presented as a Security Assertion Markup Language (SAML) token, as specified in [SAMLCore], and verified using SOAP Message Security 1.1, as specified in [WSS]. The way in which the client retrieves the SAML token is out of the scope of this document. The type of Live ID environment for which the server is configured is specified in the Web service metadata as MSWebAuthentication policy assertion. See section 2.2.4.2 for MSWebAuthentication policy assertion schema. If Live ID authentication fails, the errors defined in section 3.2.4.1 are returned.
The OAuth2 authentication follows the OAuth 2.0 Authorization Protocol described in [IETFDRAFT-OAuth2.0] with Extensions described in [MS-OAUTH2EX]. The protocol server extracts the OAuth2 token from the Authorization header of the HTTP request and validates that:
the token carries an actor token that was issued by the Authorization Server that protocol server trusts;
the actor token is signed by a certificate associated with the Authorization Server that issued the token;
the actor token nameid (name identifier) claim value matches the issuer claim in the token;
both the token itself and actor token carry audience claim with a value in the following format: 00000004-0000-0ff1-ce00-000000000000/<host_fqdn>@<realm>, where:
00000004-0000-0ff1-ce00-000000000000 is identifier associated with the protocol server described in the document,
<host_fqdn> is a placeholder which represents the fully qualified domain name (FQDN) of the protocol server,
<realm> is a place holder which represents a realm value configured for the protocol server;
the token carries at least one of the following claims: nameid (name identifier), smtp (e-mail address), sip (SIP address) and values in these claims match corresponding values of exactly one user in the UAS database.
If validation of OAuth2 token fails, the errors defined in section 3.2.4.1 are returned.
Sending the Web Ticket as Credentials to a Web Service Web Application
After the client receives a Web ticket from the Web Ticket Service, the client MUST attach the Web ticket, as it would a SAML token, to its requests to a participating Web service.
If the Web ticket fails validation, OCSDiagnosticsFaultType, as described in section 2.2.4.1, SHOULD be returned. The following table describes the relevant OCSDiagnosticsFaultType.
faultcode |
ErrorId |
Reason |
---|---|---|
wsse:InvalidSecurityToken |
28032 |
The Web ticket is invalid. |
wsse:InvalidSecurityToken |
28033 |
The Web ticket has expired. |
wsse:InvalidSecurityToken |
28034 |
Proof Web tickets are only valid at the same Web server where they were requested. |
The Web service also returns faults specified in [WSSE 1.0].
The Web ticket can be sent as a signed security token or a proof-of-possession token, as specified in [WS-Trust1.3].
Sending the Web Ticket as Credentials to a Non-Web Service Web Application
After the client receives a Web ticket from the Web Ticket Service, the client MUST send the Web ticket in an HTTP header extension in its request to participating non-Web services.
-
X-MS-WebTicket = ticket-data *(";" ticket-extns) ticket-data = "opaque" "=" base64-ticket base64-ticket = 1*(ALPHA / DIGIT / "+" / "/") ; base-64 encoded SAML token ticket-extns: 1*(ALPHA / DIGIT / "-") "=" 1*(ALPHA / DIGIT / "-")
The Web ticket, or SAML token, used to construct the base64-ticket MUST be a signed security token, as specified in [WS-Trust1.3].
If the Web ticket fails validation, an error response MUST be returned with an HTTP extension header called X-Ms-diagnostics, as described in section 3.2.4.1. The following table describes the relevant fault codes.
Faultcode |
ErrorId |
Reason |
---|---|---|
wsse:InvalidSecurityToken |
28032 |
The Web ticket is invalid. |
wsse:InvalidSecurityToken |
28033 |
The Web ticket has expired. |