3.1.1.2 LsRequestSecurityToken, RequestSecurityTokenWithToken, and LsRequestSecurityTokenWithCookie
At the client, a higher layer can determine whether the server accepts security tokens from a particular user's security realm as described in [MS-MWBF]. The user is represented by an email address. The client calls this method to learn whether the email address belongs to a security realm from which the server will accept tokens using the protocol defined in [MS-MWBF]. The following data is used in the client's request sent to the server and in the server's response sent to the client.
|
Name |
Description |
Corresponding message parameter |
|---|---|---|
|
Incoming Token |
This parameter MUST be a Base64-encoded [RFC4648] security token conforming to [MS-MWBF] section 2.2.4.2. This is the security token obtained from the wresult parameter. |
RequestSecurityTokenWithToken Request: <inToken> |
|
Outgoing Security Token |
This parameter MUST be a Base64-encoded [RFC4648] security token conforming to [MS-MWBF] section 2.2.4.2. This is the security token to issue in the wresult parameter of [MS-MWBF]. |
All Responses: <SecurityToken> |
|
Incoming Cookie |
This parameter MUST be Base64-encoded [RFC4648] data used by the STS to cache data about the user as a [RFC2965] cookie. The protocol does not constrain the format of this data since it is written by the STS for later processing by the STS. STS implementations can use any appropriate data format, and proxy implementations need only retrieve it from the client as an [RFC2965] cookie. |
LsRequestSecurityToken Request, RequestSecurityTokenWithToken Request: <cookie> LsRequestSecurityTokenWithCookie Request: <latToken> |
|
Outgoing Cookie |
This parameter MUST be Base64-encoded [RFC4648] data used by the STS to cache data about the user as a [RFC2965] cookie. The protocol does not constrain the format of this data since it is written by the STS for later processing by the STS. STS implementations can use any appropriate data format, and proxy implementations need only write it to the client as an [RFC2965] cookie. |
All Responses: <LogonAcceleratorToken> |
|
Target Security Realm URI |
This parameter identifies the security realm for whom the STS is to issue the security token. This parameter is taken from the wtrealm parameter of [MS-MWBF]. |
All Requests: <TargetRealmName> |
|
Credential Type URI |
This parameter identifies whether the Credentials parameter contains a username and password or a certificate. |
LsRequestSecurityToken Request: <credentialTypeUri> |
|
Credentials |
This parameter either contains a username and password, or a certificate. It is used by the STS to look up claims about the user. |
LsRequestSecurityToken Request: <credentials> |
|
Server Policy Version |
This is a version number for the policy that is maintained by the server at the time of issuing a GetProxyTrustConfiguration response. |
<Version> element |
|
Server Policy GUID |
This is a globally unique identifier for the policy that is maintained by the server at the time of issuing a GetProxyTrustConfiguration response. |
<Guid> element |
|
Foreign Realm Name/URI |
This parameter is the security realm identifier for use in caching the web browser requestor's security realm selection. |
All Responses: <ForeignRealmUri> |
|
Requested Account Store URI |
This parameter identifies the store that client requests to be used for generating claims about the user. |
LsRequestSecurityToken Request: <accountStoreUri> |
|
Response Status |
This parameter either indicates a successful request or provides information on why the request failed. |
All Responses: <Status> |
|
Credentials Verification Information |
This parameter contains relevant data about the account store used to generate claims about the user. It is only used by the client for error details that might be presented to the web browser requestor. |
All Responses: <CredentialsVerification> |