4.1.1 Annotated Example

The following is a protocol example for the Query String Response Transfer Protocol.

The Query String Response Transfer Protocol is best understood as occurring abstractly between an IP/STS and a relying party, because the changes to the Web Browser Federated Sign-On Protocol [MS-MWBF] are applied consistently whether between requestor IP/STS and resource IP/STS or between resource IP/STS and WS resource.

This annotated example shows a Query String Response Transfer Protocol exchange between a requestor IP/STS and a resource IP/STS. It is part of a larger network trace (see section 4.2) that also uses the Query String Response Transfer Protocol between the resource IP/STS and the WS resource.

The following table specifies the protocol roles of the hosts.

Protocol role	Host name
IP/STS	adatumsts-7
Relying party	treysts-7

Each HTTP message is prefaced by an annotation that describes its recipient and purpose. This annotated example omits many elements of the HTTP messages. For example, implementation-specific cookies and superfluous HTTP headers are not included. The full messages are specified in section 4.1.2. The following parameters are specified in this document and appear in the HTTP messages that follow:

• ttpindex

• ttpsize

• wresult

The following are the processing steps of this annotated example:

1. Just prior to the example, the web browser requestor made a GET request to the relying party (treysts-7).

2. The relying party returns an HTTP 302 message that specifies a wsignin1.0 request for the IP/STS. This wsignin1.0 request includes the ttpindex=0 parameter, which initiates the Query String Response Transfer Protocol (see section 3.2.5.1). At this time, the relying party's aggregated result is empty, as specified in section 3.2.5.1.1.

    HTTP/1.1 302 Found
    Location: 
    https://adatumsts-7/adfs/ls/?wa=wsignin1.0&
    wtrealm=urn%3afederation%3atrey+research&
    wct=2006-07-13T07%3a32%3a21Z&
    wctx=https%3a%2f%2ftreyws-test%2fclaims%2f%5chttps%3a%2f%
    2ftreyws-test%2fclaims%2fDefault.aspx&ttpindex=0
   

3. The web browser requestor relays the wsignin1.0 request to the IP/STS (adatumsts-7) in an HTTP GET message.

    GET /adfs/ls/?wa=wsignin1.0&wtrealm=urn%3afederation
    %3atrey+research&wct=2006-07-13T07%3a32%3a21Z&wctx=https%
    3a%2f%2ftreyws-test%2fclaims%2f%5chttps%3a%2f%2ftreyws-test%
    2fclaims%2fDefault.aspx&ttpindex=0 HTTP/1.1
   

4. The IP/STS engages in a series of messages outside the scope of the protocol whereby it ascertains the user identity. These messages are omitted, as they have no bearing on the Query String Response Transfer Protocol. For more details, see [MS-MWBF] section 3.1.5.4.3.

5. Once the user's identity has been determined, the IP/STS creates an RSTR, as specified in [MS-MWBF] section 3.1.5.4.6. The RSTR is transformed into the pending result, and the first portion is returned in a wsignin1.0 response (as specified in section 3.1.5.1.4). In this message, the wresult parameter is the first 1,727 characters of the pending result. The ttpsize parameter indicates the length of the full pending result, 2,652.

    HTTP/1.1 302 Found
    Location: https://treysts-7/adfs/ls/?wa=wsignin1.0&
    ttpsize=2652&ttpindex=0&wctx=https%3a%2f%
    2ftreyws-test%2fclaims%2f%5chttps%3a%2f%2ftreyws-test%2fclaims%
    2fDefault.aspx&wresult=eNrNWFtzqsoS%
    2fiuW6zGVBYg3rCR1hquAaAA1yssphOEShVEGRPz1e9BoTNYt59R62D4NPW3311%
    2f3dDM8lDgfWHBXQJzb0CuyOK%2bmaA1TC%2bItSjFsHJJNigdE7bEZ5fl2QFHYi2Di
    4u9kByN3%2bx1lIVViqkXTHYpuUXlW4Lz59HBjGfofbD89YDfZDADGMMtjlDauK1V8
    bP436NAMGzD%2bvddps%2fftFuzd91ewc79iu5y7Yv1%2b4HeaDRXjAqopzt2UQCPOu
    %2fd0755hp3RvwLYGrZ7zppM9NossHQTQh5lbOxm4vpsXSbNhuK8om8MME
    %2bFjkyGCOP0oOAdfoz0bQS6O8SB1E4gHuTewgTEaMN
    %2fpgXsJoPkWm4BSP64FuDFGOQ8DlMFfoSQKk3SSgSCvsd7q9C86F8YKP4apB0ly8i
    z2avtXR59Unj7FnGewamQQQzfzogfqo%2b6n55%2bbpz4FdnHo7
    %2bPahOsHmOyidUyyEqChi6M3%2buqdM31J7GUIoyC%2fQdZ8UqK5vj2Kulay0tQy
    KoWL1HhnM8%2fS%2bvGB%2bondK94312%2fg8wimeeydrNq5m8OEPDc%2byv9QMB%
    2bVDZhHyP%2bxfD4oDco49VGJLzmyi9Ur9PK3pzEpFdWvtYMYZg0ZZYn7
    %2b5Pkbdw4wdTsedx8An4SpzFJhpuj7D%2fnsv3uoeQt%2fo%2fGL6xcAVC
    %2f4%2bXCWk4yvSpy%2bHnj3xPGR5yN66r%2b22NTStx4A3yflDZuftzEW9eDXwDZ
    %2fOxj7m4K%2bOT%2bHvUn7c%2fSP%2bEWUJKgtF7%2fXdQGQUwydKL87yBVMlRs
    %2fy5Iod4kCU7inID9d8ME222G9l9HSf3yXNlxmJIiyt5m6hVXWZbfS
    %2fYEh3QlmqI5iij4OA6%2fNc%2f%2fgn7d%2bp4eBDdFKTnJm
    %2fh406AaYBMiMlyj5BcmGYqha5P38ODde0w7%2fdZsUDd4vmjmA7IMu
    %2fc4cpmTJQsGMKsnR2NmqY%2fNb18b4U8P08xNMRmNCb5Z%2f284YLqHG7SF
    %2fj2%2bhHOC9HVzv2CHugUnxiGZif8PT1eOzibOVTPhN2GVHqWsG5S6BHgV4f3E
    0eycpcnEu9V8oK7ckvVtLVyzd1YUYTg1c1Gn%2fJ5011Fmx1mmaTOBae%2bMEojVHb
    %2bd96NDIjO9jLvrlopNJXwsPNN3kWwtuE2Vj4t90Zram4XtYg1Y2jTyLGrUFmYHmd
    V4WW87i6VIm9VO3UNaBPOiR5XrV0emvSA5kpm9SXZK7rXmHZ
    %2fGWXdBd5mpuJX07ZIqA4ru0lX%2fmI6gf4De4zmQG
    %2fAPOqzOUS06NCe6uXteCfVLVVCPLtLYVFVkREEAWRWCUuVBqOoKGyayCeqfdJiCMR
    %2bud9E6VriS5oE5k4EIHMPyStlcinPTFKWyM3OVTeXIfOSlVmeWcHtfBFAu6XL8C
    lhjqlbGFJSGOHZPsuNFJp1kBr88yCKw%2bXA854ExFVryermwmNViTHsVzRqqEhiA
    VgR7p9jqihVNqcYBQFsZA1HgY1PnQ1O0l7uE4uB4smhLvZZth3SxY7QX1thxeQF0p
    %2b9W%2bNmJNkfjZb%2fTGa7DDMWjyOeTmeZO7vb8EogLjTrK%2bZRq6weJ1WNn02
    k9F6RVHa3%2bWqcZXRkto8gHGZR5oZfYq4g72IsKhFxVavFycmf0Eas4dKvg9xCEc
    SIOh1rSDYWDpzG7tcUxxz7Q5WOpisAEPGqrPDoS7p1%2bKYaES4t%2bBuaQIsGJIJ
    yWhmTexqyJpcka4qzWVXX
   

6. The web browser requestor relays the wsignin1.0 response to the relying party (treysts-7) in an HTTP GET message.

    GET /adfs/ls/?wa=wsignin1.0&
    ttpsize=2652&ttpindex=0&wctx=https%3a%2f%2ft
    reyws-test%2fclaims%2f%5chttps%3a%2f%2ftreyws-test%2fclaims
    %2fDefault.aspx&wresult=eNrNWFtzqsoS%2fiuW6zGVBYg3rCR1h
    quAaAA1yssphOEShVEGRPz1e9BoTNYt59R62D4NPW3311%2f3dDM8lDgfWHBXQJzb0
    CuyOK%2bmaA1TC%2bItSjFsHJJNigdE7bEZ5fl2QFHYi2Di4u9kByN3%2bx1lIVViq
    kXTHYpuUXlW4Lz59HBjGfofbD89YDfZDADGMMtjlDauK1V8bP436NAMGzD%2bvddps
    %2fftFuzd91ewc79iu5y7Yv1%2b4HeaDRXjAqopzt2UQCPOu%2fd0755hp3RvwLYGr
    Z7zppM9NossHQTQh5lbOxm4vpsXSbNhuK8om8MME%2bFjkyGCOP0oOAdfoz0bQS6O8
    SB1E4gHuTewgTEaMN%2fpgXsJoPkWm4BSP64FuDFGOQ8DlMFfoSQKk3SSgSCvsd7q9
    C86F8YKP4apB0ly8iz2avtXR59Unj7FnGewamQQQzfzogfqo%2b6n55%2bbpz4FdnH
    o7%2bPahOsHmOyidUyyEqChi6M3%2buqdM31J7GUIoyC%2fQdZ8UqK5vj2Kulay0tQ
    yKoWL1HhnM8%2fS%2bvGB%2bondK94312%2fg8wimeeydrNq5m8OEPDc%2byv9QMB%
    2bVDZhHyP%2bxfD4oDco49VGJLzmyi9Ur9PK3pzEpFdWvtYMYZg0ZZYn7%2b5Pkbdw
    4wdTsedx8An4SpzFJhpuj7D%2fnsv3uoeQt%2fo%2fGL6xcAVC%2f4
    %2bXCWk4yvSpy%2bHnj3xPGR5yN66r%2b22NTStx4A3yflDZuftzEW9eDXwDZ
    %2fOxj7m4K%2bOT%2bHvUn7c%2fSP%2bEWUJKgtF7%2fXdQGQUwydKL87yBVMlRs
    %2fy5Iod4kCU7inID9d8ME222G9l9HSf3yXNlxmJIiyt5m6hVXWZbfS
    %2fYEh3QlmqI5iij4OA6%2fNc%2f%2fgn7d%2bp4eBDdFKTnJm%2fh406AaYBMiMl
    yj5BcmGYqha5P38ODde0w7%2fdZsUDd4vmjmA7IMu%2fc4cpmTJQsGMKsnR2NmqY
    %2fNb18b4U8P08xNMRmNCb5Z%2f284YLqHG7SF%2fj2%2bhHOC9HVzv2CHugUnxi
    GZif8PT1eOzibOVTPhN2GVHqWsG5S6BHgV4f3E0eycpcnEu9V8oK7ckvVtLVyzd1
    YUYTg1c1Gn%2fJ5011Fmx1mmaTOBae%2bMEojVHb%2bd96NDIjO9jLvrlopNJXws
    PNN3kWwtuE2Vj4t90Zram4XtYg1Y2jTyLGrUFmYHmdV4WW87i6VIm9VO3UNaBPOi
    R5XrV0emvSA5kpm9SXZK7rXmHZ%2fGWXdBd5mpuJX07ZIqA4ru0lX%2fmI6gf4De
    4zmQG%2fAPOqzOUS06NCe6uXteCfVLVVCPLtLYVFVkREEAWRWCUuVBqOoKGyayCe
    qfdJiCMR%2bud9E6VriS5oE5k4EIHMPyStlcinPTFKWyM3OVTeXIfOSlVmeWcHtf
    BFAu6XL8ClhjqlbGFJSGOHZPsuNFJp1kBr88yCKw%2bXA854ExFVryermwmNViTH
    sVzRqqEhiAVgR7p9jqihVNqcYBQFsZA1HgY1PnQ1O0l7uE4uB4smhLvZZth3SxY7
    QX1thxeQF0p%2b9W%2bNmJNkfjZb%2fTGa7DDMWjyOeTmeZO7vb8EogLjTrK%2bZ
    Rq6weJ1WNn02k9F6RVHa3%2bWqcZXRkto8gHGZR5oZfYq4g72IsKhFxVavFycmf0E
    as4dKvg9xCEcSIOh1rSDYWDpzG7tcUxxz7Q5WOpisAEPGqrPDoS7p1%2bKYaES4t%
    2bBuaQIsGJIJyWhmTexqyJpcka4qzWVXX HTTP/1.1
   

7. Because the relying party's aggregated result is empty, the wresult parameter becomes the aggregated result. Because the length of the wresult parameter was 1,727 characters, which is less than the length of the ttpsize parameter of 2,652 characters, the relying party needs to request more data from the IP/STS. It does this by sending an HTTP 302 with a wsignin1.0 request that includes the ttpindex=1727 parameter. For further specifications, see section 3.2.5.1.3.

    HTTP/1.1 302 Found
    Location: https://adatumsts-7/adfs/ls/?wa=wsignin1.0&wtrealm=urn
    %3afederation%3atrey+research&wct=2006-07-13T07%3a32%3a27Z&wctx=
    https%3a%2f%2ftreyws-test%2fclaims%2f%5chttps%3a%2f%2ftreyws-test
    %2fclaims%2fDefault.aspx&ttpindex=1727
   

8. The web browser requestor relays the wsignin1.0 request to the IP/STS (adatumsts-7) in an HTTP GET message.

    GET /adfs/ls/?wa=wsignin1.0&wtrealm=urn%3afederation%3atrey+
    research&wct=2006-07-13T07%3a32%3a27Z&wctx=https%3a%2f%2ftreyws-
    test%2fclaims%2f%5chttps%3a%2f%2ftreyws-test%2fclaims%2fDefault.
    aspx&ttpindex=1727 HTTP/1.1
   

9. The IP/STS returns the remaining 925 characters of the pending result, beginning with character 1,727. For further specifications, see section 3.1.5.1.3.

    HTTP/1.1 302 Found
    Location: https://treysts-7/adfs/ls/?wa=wsignin1.0&
    ttpsize=2652&ttpindex=1727&wctx=https%3a%2f
    %2ftreyws-test%2fclaims%2f%5chttps%3a%2f%2ftreyws-test%2fclaims
    %2fDefault.aspx&wresult=kqNHeG5OcCSAUgEHIEISLri
    GRPIJQBEM%2bnGViaAj8ERCSwkseRfLs13wPzbYkh%2bZs6Vn0YZP76zacMJF
    GrZbrVe%2fYXvUjtZTKE7YND8pSqH2XS543Z0Piuxye9155PixlBGZyO6WHThaJc9X
    t2NPJctVWbL2TsZNZOTdPugEvtcupyOtIikMLOZI7tGhPRPtRa7wh9RP5CwuNEqvwq
    s7ritXKUcJsl6y291pc4gtE1qL3Zmte%2bdK88BIOrwTux%2fojel5SlqGDCC9Yqeu
    WLyWeV5UxqSfdkNR3%2bREI0auD%2fKFVTuL%2bflnbVmTGV8LPfl6dhUYvF3PalX
    %2fhMzVLC7xzZABdmSjOdqXMuqOK8xbKe4wL6bSWV6m2XykH791vFMyVaOsllrkk
    %2fuCc7LNmQTigP58D%2fnQOyLk1eXYX3x3GU8rrUsn84LO%2bcGRAtt4eNHY1VD
    NEDcGhl%2fYOCujud%2fup3%2bZefDPvB3s9lIYB7%2b3VXuK%2bwLyUR23Le07Y
    WTLP1Dl1p62FeOiHAQuF53jLdrGTc%2b3jPFPkwJFdrk%2b9HlC7ZNDdiyLPcivf
    SV2bCmN6ZEmxMRJ0z3KS6G426mlDqL0MYcV1WJ3zzJHR8pWVozlral0wbkuYqT0l
    eD60fT1hBCVdIcNL1mwcRIKRIAu9QjsGoiff4T63Xg3zIFiq6rSQ%2fRVr29y6LF
    oyBn2NHQ6T1oTaG%2f1lJe46h3nqJM8dbElFMpNTRKW7SYduLSjlaHXZKO2mO
    %2fTykrVn3ny93nGygPpVKClJt3qFQfFAfe6YZ8m5m1LXDvvee6%2fvKpfLKxH8
    7tJe4u2AtJhNDPEUXb8LbL%2fwXaBdT8Qt2sRedfow4A6k1N%2biOM3f3xwu9ty
    v2euTi%2bHppT9Owzebb7eAP9x8bzXPTz9gOclvYv3Iy08%2fkzz9A6cx%2fkw
    %3d
   

10. The web browser requestor relays the wsignin1.0 response to the relying party (treysts-7) in an HTTP GET message.

     GET /adfs/ls/?wa=wsignin1.0&
     ttpsize=2652&ttpindex=1727
     &wctx=https%3a%2f%2ftreyws-test%2fclaims%2f%5chttps%3a
     %2f%2ftreyws-test%2fclaims%2fDefault.aspx&
     wresult=kqNHeG5OcCSAUgEHIEISLriGRPIJQBEM
     %2bnGViaAj8ERCSwkseRfLs13wPzbYkh%2bZs6Vn0YZP76zacMJFGrZbrVe
     %2fYXvUjtZTKE7YND8pSqH2XS543Z0Piuxye9155PixlBGZyO6WHThaJc9Xt2NP
     JctVWbL2TsZNZOTdPugEvtcupyOtIikMLOZI7tGhPRPtRa7wh9RP5CwuNEqvwqs
     7ritXKUcJsl6y291pc4gtE1qL3Zmte%2bdK88BIOrwTux%2fojel5SlqGDCC9Y
     qeuWLyWeV5UxqSfdkNR3%2bREI0auD%2fKFVTuL%2bflnbVmTGV8LPfl6dhUYvF
     3PalX%2fhMzVLC7xzZABdmSjOdqXMuqOK8xbKe4wL6bSWV6m2XykH791vFMyVaO
     sllrkk%2fuCc7LNmQTigP58D%2fnQOyLk1eXYX3x3GU8rrUsn84LO%2bcGRAtt4
     eNHY1VDNEDcGhl%2fYOCujud%2fup3%2bZefDPvB3s9lIYB7%2b3VXuK%2bwLyU
     R23Le07YWTLP1Dl1p62FeOiHAQuF53jLdrGTc%2b3jPFPkwJFdrk%2b9HlC7ZND
     diyLPcivfSV2bCmN6ZEmxMRJ0z3KS6G426mlDqL0MYcV1WJ3zzJHR8pWVozlral
     0wbkuYqT0leD60fT1hBCVdIcNL1mwcRIKRIAu9QjsGoiff4T63Xg3zIFiq6rSQ
     %2fRVr29y6LFoyBn2NHQ6T1oTaG%2f1lJe46h3nqJM8dbElFMpNTRKW7SYduLS
     jlaHXZKO2mO%2fTykrVn3ny93nGygPpVKClJt3qFQfFAfe6YZ8m5m1LXDvvee6
     %2fvKpfLKxH87tJe4u2AtJhNDPEUXb8LbL%2fwXaBdT8Qt2sRedfow4A6k1N
     %2biOM3f3xwu9tyv2euTi%2bHppT9Owzebb7eAP9x8bzXPTz9gOclvYv3Iy08
     %2fkzz9A6cx%2fkw%3d HTTP/1.1
    

11. The relying party appends the wresult parameter to the aggregated result. The new aggregated result is 2,652 characters long, which indicates the completion of the Query String Response Transfer Protocol (see section 4.1). The relying party extracts the RSTR from the aggregated result (as specified in section 3.2.5.1.4) and processes it as specified in [MS-MWBF] section 3.3.5.2. The relying party's next action is outside the scope of the protocol, though in this case the relying party, which was a resource IP/STS, issued a new SAML assertion and used the Query String Response Transfer Protocol to transmit it to a WS resource.