3.2 Interaction with Security Token Service (STS)

This section describes the third phase in MDE2 device enrollment: requesting and receiving the security token. The following diagram highlights this phase.

MDE2 device enrollment: requesting and receiving the security token

Figure 10: MDE2 device enrollment: requesting and receiving the security token

After the enrollment client receives the DiscoverResponse message (section, the client obtains a security token from the STS specified in the value for the <DiscoveryResponse><AuthenticationServiceUrl> element (section

Note The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the STS might prompt for user credentials directly or enter into a federation protocol with an STS and directory service, MDE2 is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented.

The following are the explicit requirements for the STS.

The <DiscoveryResponse><AuthenticationServiceUrl> element (section MUST support HTTPS.

The enrollment client issues an HTTPS request as follows.

 AuthenticationServiceUrl?appru=<appid>&login_hint=<User Principal Name>

<appid> is of the form ms-app://string

<User Principal Name> is the name of the enrolling user, for example, user@constoso.com. The value of this attribute serves as a hint that can be used by the STS as part of the authentication.

After authentication is complete, the STS SHOULD return an HTML form document with a POST method action of appid identified in the query string parameter. For example,

 HTTP/1.1 200 OK 
 Content-Type: text/html; charset=UTF-8
 Vary: Accept-Encoding
 Content-Length: 556
       function formSubmit() {
     <form method="post" action="ms-app://windows.immersivecontrolpanel">
       <p><input type="hidden" name="wresult" value="token value"/></p>
       <input type="submit"/>

The STS has to send a POST to a redirect URL of the form ms-app://string (the URL scheme is ms-app) as indicated in the POST method action. The security token in wresult is later passed back in <wsse:BinarySecurityToken> (section 3.3). This string is opaque to the enrollment client; the client does not interpret the string.