Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The wsignin1.0 request message is sent to the IP/STS to request that a security token be issued for a specific user to allow access to resources managed by the relying party. For normative descriptions and details on this request message, see [WSFederation1.2] section 13.2.2. This message consists of an HTTP GET with the following query string parameters, formatted as specified in [WSFederation1.2] sections 13.2.1 and 13.2.2:
wa: The value MUST be the literal string "wsignin1.0".
wtrealm: This parameter MUST be included in a request message to a different security realm from the relying party. If present, this value MUST be a URI that the requestor IP/STS and the relying party have agreed to use to identify the security realm of the relying party in messages to the requestor IP/STS.
wreply (optional): This parameter MAY be included in request messages to the same security realm as the relying party. If present, this value MUST be a URL to which responses MUST be directed. The requestor IP/STS MUST validate that this URL belongs to the relying party before directing responses to this URL. <11>
wctx (optional): This value is an opaque context that MAY be passed in the request by the relying party.<12>
wct (optional): This value is the current time at the relying party that MUST be the string encoding of time, using the XML schema <datetime> time with Coordinated Universal Time (UTC) notation.<13>
wauth (optional): This value is a URI that indicates the method of authentication wanted.<14>
whr (optional): This value is a URI that uniquely identifies the requestor IP/STS that SHOULD receive the wsignin1.0 request message.<15>
client-request-id (optional): This value is a string that is used to specify a request identifier that is used when logging events, including errors or failures that occur while processing the request.<16>
login_hint (optional): This value is a string that is used to provide a hint about the login identifier the end-user might use to log in. This value MAY be used to derive the IP/STS that SHOULD receive the wsignin1.0 request message.<17> Actual derivation is implementation specific.
username (optional): This value is a string that is used to provide a hint about the login identifier the end-user might use to log in. This value MAY be used to derive the IP/STS that SHOULD receive the wsignin1.0 request message.<18> Actual derivation is implementation specific.
domain_hint (optional): This value is a string that MAY be used to derive the IP/STS that SHOULD receive the wsignin1.0 request message.<19> Actual derivation is implementation specific.
prompt (optional): This query parameter is used in the same way as the prompt parameter defined in [OIDCCore] section 3.1.2.1, but the only accepted value for this parameter is "login".<20> Any other values are ignored. This parameter is used to interactively prompt the end-user for re-authentication. Error handling for this parameter follows the specification of section 3.1.5.2.
mfa_max_age (optional): This value is a string that is used to specify the allowable timespan, in seconds, within which the last multiple factor authentication of the user MUST have been performed by the IP/STS. The AD FS server ignores this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_3 or higher ([MS-OAPX] section 3.2.1.1).<21> The IP/STS SHOULD have a setting that configures it to issue the claim "http://schemas.microsoft.com/ws/2017/04/identity/claims/multifactorauthenticationinstant" in the security token to the relying party. The value of this claim SHOULD specify the time, in UTC, when the user last performed multiple factor authentication.
Note login_hint and username are aliases that signify the same query parameter and either of these query parameters can be used to provide a hint about the login identifier the end-user might use to log in.