3.2.5.2.1 LsRequestSecurityToken Request

When the server receives an LsRequestSecurityToken request message, it must respond to it as if it were an [MS-MWBF] request for a security token.

The server MUST consider the targetRealmName element as if it were the wtrealm parameter of the [MS-MWBF] request for a security token.

The credentialTypeUri and credentials elements MUST contain information about the method used at the client for authenticating the [MS-MWBF] web browser requestor. The client MAY use username and password authentication or SSL client certificate authentication.<12>

If SSL client certificate authentication was used, the credentialTypeUri parameter MUST be "urn:ietf:rfc:2246". If username and password authentication is used, the credentialTypeUri MUST be "urn:oasis:names:tc:SAML:1.0:am:password".

If SSL client certificate authentication was used, the credentials element MUST contain only two values. The first value MUST equal "Certificate". The value of the second string MUST be an X.509 certificate per [WSDL] that is Base64-encoded per [RFC4648].

If username and password authentication was used, the credential element MUST contain only four values. The value of the first string MUST be Username. The value of the second string MUST be a username for the web browser requestor. The value of the third string MUST be Password. The value of the fourth string MUST be a password for the web browser requestor. The credentials provided for the client MUST be used to generate a security token for the user as described in [MS-MWBF].

The client MAY specify an identifier for a particular account store to be used by the server when generating claims for the web browser requestor using the accountStoreUri element.<13>

The client MAY specify an [RFC2965] cookie value that is Base64-encoded per [RFC4648] in the cookie element of the request.<14>