Security Token Service Endpoint
Clients can request security tokens from the Security Token Service (STS) endpoint of FIM. The STS endpoint will challenge the user of the client application to confirm his or her identity. If the user provides satisfactory responses to all the challenges, then the STS will issue a security token to the client. That token can then be included in requests to the other endpoints of FIM to prove that the user of the client application has successfully responded to a certain series of challenges to confirm his or identity.
The STS endpoint of FIM implements mechanisms defined by the WS-Trust specification for requesting security tokens, issuing challenges to confirm a user's identity, and providing responses to those challenges. Specifically, a client can request a security token from the STS endpoint by sending the RequestSecurityToken (RST) element defined by the WS-Trust specification as input to the RST/Issue operation that is defined by that specification and implemented by the STS endpoint. In so doing, the client is expected to provide User Name security tokens as defined in the SOAP Message Security 1.1 specification.
The Password element of that User Name security token may have a value. Regardless, to challenge the user of the client application for additional confirmation of identity than is provided by the User Name token, the STS endpoint responds with the WS-Trust RequestSecurityTokenResponse (RSTR) element. The client application conveys the user's responses to such challenges by invoking the RSTR/Issue operation with a WS-Trust RequestSecurityTokenResponse element. The service may respond with additional challenges for confirmation of the user's identity, or, client's requirements for confirming the user's identity have been met, the STS will provide the security token to the client in a RequestSecurityTokenResponse element.
The behavior of the STS endpoint is illustrated here.
.gif "6dfb6654-43bb-4d7d-ab00-2b87239acc24")
API
Clients can request security tokens from the STS endpoint of FIM by invoking its RST/Issue operation.
RST/Issue Operation
Signature
Refer to section 6 of the WS-Trust specification.
Parameters
Action Header
The value of the Action Header should be https://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue, as specified in Section 6 of the WS-Trust specification.
Security Header
Invocations of the RST/Issue operation of the STS endpoint must incorporate the Security header defined in the SOAP Message Security 1.1 specification and a User Name security token.
RequestSecurityToken Element
According to the WS-Trust specification, a request for a security token takes the form of the RequestSecurityToken element of the https://schemas.xmlsoap.org/ws/2005/02/trust namespace, which the specification defines. That element has several sub-elements. According to the WS-Trust specification, only one of those sub-elements, the RequestType sub-element, must always be present. It is left to implementers of the WS-Trust specification to decide whether the other sub-elements are required. For requests to the STS endpoint of the FIM Service, the required sub-elements of the RequestSecurityToken element are listed in the following table, together with definitions of the valid values for each sub-element.
Required RequestSecurityToken Sub-Elements
| Sub-Element | Meaning | Valid Values |
|---|---|---|
RequestType |
The nature of the request. |
|
AppliesTo |
The purpose for which the requested security token is required. |
A WS-Addressing Endpoint Reference element identifying the Web service endpoint at which the requested security token will be used. |
Entropy |
Entropy that will be used in creating the key to be incorporated in the requested security token. |
A WS-Trust BinarySecret element, with the Type attribute value |
The optional sub-elements of the RequestSecurityToken element are shown in the following table, together with definitions of the valid values for each sub-element.
Optional RequestSecurityToken Sub-Elements
| Sub-Element | Meaning | Valid Values |
|---|---|---|
KeyType |
The type of key to be incorporated in the requested security token. |
|
KeySize |
The size of the key to be incorporated in the requested security token, specified in number of bits. |
|
CanonicalizationAlgorithm |
The canonicalization method that will be used in the returned token. |
|
EncyrptionAlgorithm |
The encryption algorithm that will be used in the returned token. |
|
EncryptWith |
The encryption algorithm that will be used in requests incorporating the issued security token. |
|
SignWith |
The signature algorithm that will be used in requests incorporating the issued security token. |
|
ComputedKeyAlgorithm |
The algorithm to use in computed keys incorporated in the issued security token. |
|
Example
The following SOAP message is an example of a request for a security token to the STS endpoint of FIM.
Sample request for a security token context
<s:Envelope
xmlns:s=‘http://www.w3.org/2003/05/soap-envelope'
xmlns:wsa=‘https://schemas.xmlsoap.org/ws/2004/08/addressing'
xmlns:wst=‘https://schemas.xmlsoap.org/ws/2005/02/trust'
xmlns:wsse='https://schemas.xmlsoap.org/ws/2002/04/secext'
xmlns:wssu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
…
<s:Header>
…
<wsa:Action>
https://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
</wsa:Action>
…
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>ssmith</wsse:Username>
</wsse:UsernameToken>
</wsse:Security>
…
</s:Header>
<s:Body>
<wst:RequestType>
https://schemas.xmlsoap.org/ws/2005/02/trust/Issue
</wst:RequestType>
<wst:AppliesTo>
<wsa:EndpointReference>
<wsa:Address>
http://www.woodgrove.com:5725/IdentityManagementService/Resource
</wsa:Address>
</wsa:EndpointReference>
</wst:AppliesTo>
<wst:Entropy>
<wst:BinarySecret
wssu:Id='uuid-8f817169-b97b-49a0-9ce9-bf2448b16260-14'
Type='https://schemas.xmlsoap.org/ws/2005/02/trust/Nonce>
jFF5uK5ZhZfBqA/XaIAO7y6hFHkugnM5N4W3Otdc+t0=
</wst:BinarySecret>
</wst:Entropy>
</s:Body>
</s:Envelope>
Return Values
Action Header
The value of the Action Header must be https://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue, as specified in Section 6 of the WS-Trust specification.
Context Header
Responses to invocations of the operations of the STS endpoint of FIM may incorporate the Context Header. Any Context header incorporated in the header of the response to the RST/Issue operation must be included in the headers of subsequent requests in the same session.
Request Security Token Response Element
Section 10 of the WS-Trust specification defines a mechanism by which an STS may challenge a client for information to authenticate a user's identity. The STS endpoint of FIM may use that mechanism to obtain the proof of the user's identity that it requires before issuing any security context token that a client may request on a user's behalf.
Specifically, if the STS endpoint requires additional information to authenticate a user's identity, then it will respond to a RequestSecurityTokenRequest message by using a RequestSecurityTokenResponse message as defined by the WS-Trust specification. That message will incorporate a RequestSecurityTokenResponse element that may include an authentication challenge. How the authentication challenge is structured is left to the implementer of the WS-Trust specification to define.
Challenges Incorporated within RequestSecurityTokenResponse elements returned by the STS endpoint of FIM will take the form defined by the Challenge schema in the following example. Important elements of that schema are explained in the subsequent table.
Challenge Schema
<?xml version=‘1.0' encoding=‘utf-8'?>
<xs:schema
elementFormDefault=‘qualified'
targetNamespace=‘https://schemas.microsoft.com/2006/11/IdentityManagement'
xmlns:xs=‘http://www.w3.org/2001/XMLSchema'
xmlns:wsa=https://schemas.xmlsoap.org/ws/2004/08/addressing
xmlns:rm=‘https://schemas.microsoft.com/2006/11/ResourceManagement'>
<xs:import
namespace=‘https://schemas.xmlsoap.org/ws/2004/08/addressing'/>
<xs:complexType name=‘AuthenticationChallengeType'>
<xs:sequence>
<xs:element
name=‘Challenge'
nillable=‘true'
minOccurs=‘0'>
<xs:complexType>
<xs:sequence>
<xs:any
minOccurs=‘0'
processContents=‘lax' />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:element
name=‘AuthenticationChallenge'
nillable=‘true'
type=‘rm:AuthenticationChallengeType' />
</xs:schema>
Challenge Schema
| Element | Description |
|---|---|
Challenge |
Provides the client application with the information that it needs to challenge the user to provide the required authentication data. |
AuthenticationChallenge |
Wrapper |
Example
The following SOAP message shows a hypothetical response from the STS endpoint requesting additional information to confirm the user's identity. Elements specific to the FIM implementation are in bold. Elements that are not constrained by this specification are indicated with ellipses.
The following XML example shows a hypothetical response to a request for a security context token requesting additional authentication information.
Response to a request for a security context token
<s:Envelope
xmlns:s=‘http://www.w3.org/2003/05/soap-envelope'
xmlns:wsa=‘https://schemas.xmlsoap.org/ws/2004/08/addressing'
xmlns:wst=‘https://schemas.xmlsoap.org/ws/2005/02/trust'
xmlns:wsu=‘https://schemas.xmlsoap.org/ws/2002/07/utility'
xmlns:wsc=‘https://schemas.microsoft.com/ws/2006/05/context' xmlns:rm=‘https://schemas.microsoft.com/2006/11/ResourceManagement' >
<s:Header>
<wsa:To>
http://www.woodgrove.com/sender
</wsa:To>
<wsa:Action>
https://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
</wsa:Action>
<wsa:MessageID>
uuid:0000010e-0000-0000-C000-000000000048
</wsa:MessageID>
<wsa:RelatesTo>
uuid:00000000-0000-0000-C000-000000000048
</wsa:RelatesTo>
<wsc:Context> <wsc:InstanceId>19bc8ea5-27f8-4136-97a2-3699697fd271</wsc:InstanceId> </wsc:Context>
</s:Header>
<s:Body>
<wst:RequestSecurityTokenResponse>
<rm:AuthenticationChallenge> <rm:Challenge> … </rm:Challenge> </rm:AuthenticationChallenge>
</wst:RequestSecurityTokenResponse>
</s:Body>
</s:Envelope>
RSTR/Issue Operation
Clients can respond to authentication challenges issued by the STS endpoint in response to requests for security tokens by providing the requested authentication data as input to the endpoints RSTR/Issue operation.
Parameters
Action Header
The value of the Action Header must be https://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue, specified in Section 6 of the WS-Trust specification.
Context Header
If the response to a request for a security token from the STS endpoint of FIM incorporated the Context Header, then responses to authentication challenges sent by way of the RSTR/Issue operation must include that Context header.
Request Security Token Response Element
Section 10 of the WS-Trust specification says that the client defines a mechanism by which an STS may challenge a client for information to authenticate a user's identity. The STS endpoint of FIM may use that mechanism to obtain the proof of the user's identity that it requires before issuing any security context token that a client may request on a user's behalf.
Section 10 of the WS-Trust specification says that a client can respond to an authentication challenge from an STS by incorporating the requested authentication information in a RequestSecurityTokenResponse element. How the information is to be structured within that element is left to the implementer of the WS-Trust specification to define. Clients of the FIM Service STS endpoint must structure their responses to authentication challenges in compliance with the Challenge Response schema listed in the following example. Important elements of that schema are explained in the subsequent table.
Challenge Response Schema
<?xml version=‘1.0' encoding=‘utf-8'?>
<xs:schema
elementFormDefault=‘qualified'
targetNamespace=‘https://schemas.microsoft.com/2006/11/IdentityManagement'
xmlns:xs=‘http://www.w3.org/2001/XMLSchema'
xmlns:wsa=https://schemas.xmlsoap.org/ws/2004/08/addressing
xmlns:rm=‘https://schemas.microsoft.com/2006/11/ResourceManagement'>
<xs:import
namespace=‘https://schemas.xmlsoap.org/ws/2004/08/addressing'/>
<xs:complexType name=‘AuthenticationChallengeResponseType'>
<xs:sequence>
<xs:element
name=‘Response'
nillable=‘true'
minOccurs=‘0'>
<xs:complexType>
<xs:sequence>
<xs:any
minOccurs=‘0'
processContents=‘lax' />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:element
name=‘AuthenticationChallengeResponse'
nillable=‘true'
type=‘rm:AuthenticationChallengeResponseType' />
</xs:schema>
Challenge Response Schema Elements
| Element | Description |
|---|---|
Response |
Provides the STS with the authentication information demanded from the client application. |
AuthenticationChallengeResponse |
Wrapper |
Example
The following SOAP example shows how a client that has requested a security context token from the STS endpoint may respond to a request from the service for additional information to authenticate the user. Elements that are highlighted are specific to the FIM Service implementation. Elements that are not constrained by this specification are indicated with ellipses.
Hypothetical response to a request from the STS endpoint for additional authentication information
<s:Envelope
xmlns:s=‘http://www.w3.org/2003/05/soap-envelope'
xmlns:wsa=‘https://schemas.xmlsoap.org/ws/2004/08/addressing'
xmlns:wst=‘https://schemas.xmlsoap.org/ws/2005/02/trust'
xmlns:wsu=‘https://schemas.xmlsoap.org/ws/2002/07/utility'
xmlns:wsc=‘https://schemas.microsoft.com/ws/2006/05/context' xmlns:rm=‘https://schemas.microsoft.com/2006/11/ResourceManagement' >
<s:Header>
<wsa:To>
http://www.woodgrove.com:5726/IdentityManagementService/SecurityTokenService
</wsa:To>
<wsa:Action>
https://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
</wsa:Action>
<wsa:MessageID>
uuid:0000010e-0000-0000-C000-000000000048
</wsa:MessageID>
<wsa:RelatesTo>
uuid:00000000-0000-0000-C000-000000000048
</wsa:RelatesTo>
<wsc:Context> <wsc:InstanceId>19bc8ea5-27f8-4136-97a2-3699697fd271</wsc:InstanceId> </wsc:Context>
</s:Header>
<s:Body>
<wst:RequestSecurityTokenResponse>
<rm:AuthenticationChallengeResponse> … </rm:AuthenticationChallengeResponse>
</wst:RequestSecurityTokenResponse>
</s:Body>
</s:Envelope>
Return Values
Action Header
The value of the Action header must be https://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue, specified in Section 6 of the WS-Trust specification.
Context Header
Any Context Header incorporated in the header of the response to the RSTR/Issue operation must be included in the headers of subsequent requests in the same session.
Request Security Token Response Element
If the STS endpoint requires additional confirmation of the user's identity, then its response will incorporate an authentication challenge, structured in compliance with the Challenge schema listed earlier. Otherwise, the STS endpoint will provide a RequestSecurityTokenResponse element incorporating the requested security token, as shown in the following example.
Hypothetical response to a request for a security context token, providing the requested token
<s:Envelope
xmlns:s=‘http://www.w3.org/2003/05/soap-envelope'
xmlns:wsa=‘https://schemas.xmlsoap.org/ws/2004/08/addressing'
xmlns:wst=‘https://schemas.xmlsoap.org/ws/2005/02/trust'
xmlns:wsu=‘https://schemas.xmlsoap.org/ws/2002/07/utility'
xmlns:xenc=‘http://www.w3.org/2001/04/xmlenc'
xmlns:dsig='http://www.w3.org/2000/09/xmldsig'
xmlns:secxt='http://docs.oasis-openorg/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
xmlns:secu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
…
xmlns:rm=‘https://schemas.microsoft.com/2006/11/ResourceManagement' >
<s:Header>
…
<wsa:Action>
https://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
</wsa:Action>
…
</s:Header>
<s:Body>
<wst:RequestSecurityTokenResponse>
<wst:TokenType>
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
</wst:TokenType>
<wst:RequestedSecurityToken>
<saml:Assertion
MajorVersion=‘1'
MinorVersion=‘1'
AssertionID=‘_839c3252-a17c-4ada-9a7e-563e2792674b'
Issuer=‘Woodgrove'
IssueInstant=‘2007-03-10T19:34:16.654Z' xmlns:saml=‘urn:oasis:names:tc:SAML:1.0:assertion'>
…
</saml:Assertion>
</wst:RequestedSecurityToken>
<wst:RequestedAttachedReference>
<secxt:SecurityTokenReference>
<secxt:KeyIdentifier
ValueType='http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID'>
_839c3252-a17c-4ada-9a7e-563e2792674b
</secxt:KeyIdentifier>
</secxt:SecurityTokenReference>
</wst:RequestedAttachedReference>
<wst:RequestedUnattachedReference>
<secxt:SecurityTokenReference>
<secxt:KeyIdentifier
ValueType='http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID'>
_839c3252-a17c-4ada-9a7e-563e2792674b
</secxt:KeyIdentifier>
</secxt:SecurityTokenReference>
</wst:RequestedUnattachedReference>
<wst:RequestedProofToken>
<wst:ComputedKey>
https://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
</ComputedKey>
</wst:RequestedProofToken>
<wst:Entropy>
<wst:BinarySecret
secu:Id='uuid-72856c87-f49d-4ef0-86fe-f4b5affbbcc6-10>
U7Qs2MTieDz4e0lYMlwzzyF8JbcXI7nPNh22A2/hsfY=
</wst:BinarySecret>
</wst:Entropy>
</wst:RequestSecurityTokenResponse>
</s:Body>
</s:Envelope>
The sub-elements of the RequestSecurityTokenResponse element by which the security token will be conveyed are defined by the WS-Trust specification. Clarifications of those elements are included in the following table.
Sub-elements of a Request Security Token Response Element Incorporating a Security Token
| Sub-Element | Meaning | Expected Values |
|---|---|---|
TokenType |
The type of the security token. |
|
RequestedSecurityToken |
Wrapper that contains the requested security token. |
A SAML 1.1 token as defined by the SAML 1.1 specification. |
RequestedAttached Reference |
Indicates how the client may refer to the security token when the client incorporates it in a message. |
A SecurityReferenceToken element, as defined by the SOAP Message Security 1.1 specification that contains a KeyIdentifier element as defined by the same specification. The KeyIdentifier element will have a ValueType attribute value of |
RequestedUnattached Reference |
Indicates how to reference the token when it is not included in a message. |
The same value as the RequestedAttachedReference sub-element. |
RequestedProofToken |
The proof-of-possession token associated with the requested security token. |
A WS-Trust ComputedKey element that has the value |
Entropy |
Entropy that will be used in creating the key from the requested security token. |
A WS-Trust BinarySecret element that has an ID attribute and incorporates a base64-encoded key represented as binary octets. |
The security tokens issued by the STS endpoint of the FIM Service are the SAML 1.1 tokens defined by the SAML 1.1 specification. A sample is shown in the following example. Expected values for the various nodes of the tokens issued by the STS endpoint are provided in the subsequent table.
Sample SAML 1.1 Token Issued by the STS Endpoint
<saml:Assertion
MajorVersion=‘1'
MinorVersion=‘1'
AssertionID=‘_839c3252-a17c-4ada-9a7e-563e2792674b'
Issuer=‘Woodgrove'
IssueInstant=‘2007-03-10T19:34:16.654Z'
xmlns:saml=‘urn:oasis:names:tc:SAML:1.0:assertion'
xmlns:wsa=‘https://schemas.xmlsoap.org/ws/2004/08/addressing'
xmlns:wst=‘https://schemas.xmlsoap.org/ws/2005/02/trust'
xmlns:wsu=‘https://schemas.xmlsoap.org/ws/2002/07/utility'
xmlns:xenc=‘http://www.w3.org/2001/04/xmlenc'
xmlns:dsig='http://www.w3.org/2000/09/xmldsig'
xmlns:secxt='http://docs.oasis-openorg/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
xmlns:secu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
<saml:Conditions
NotBefore=‘2007-03-10T19:29:16.654Z'
NotOnOrAfter=‘2007-03-11T05:34:16.654Z'>
</saml:Conditions>
<saml:Advice/>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
</saml:ConfirmationMethod>
<dsig:KeyInfo>
<xenc:EncryptedKey>
…
</xenc:EncryptedKey>
</dsig:KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute
AttributeName='…'
AttributeNamespace='…'>
<saml:AttributeValue>
…
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<dsig:Signature>
…
<dsig:Signature>
</saml:Assertion>
Nodes of a SAML 1.1 Token Issued by FIM Service STS Endpoint
| Node | Meaning | Expected Values |
|---|---|---|
Conditions |
Constrain the validity of the assertions in the token. |
A NotBefore attribute value giving the time when the token was issued. A NotOnOrAfter attribute value giving a time that is a configurable period of time after the token was issued. By default, the value of the NotOnOrAfter value is 5 minutes after the time given b the NotBefore attribute value. |
Advice |
Information provided by the STS endpoint. |
Any valid value allowed by the SAML 1.1 specification. |
AttributeStatement |
A statement by the STS about attributes that apply to the user of the client application to which the token is issued. |
A SAML Subject element, as defined by the SAML 1.1 specification, by which the user to whom the token was issued may be identified. Zero or more SAML Attribute elements, as defined by the SAML 1.1 specification, with claims that the STS asserts to be true of the subject identified by the Subject element. |
Subject |
Indicates how the user to whom the token was issued may be identified. |
A SAML SubjectConfirmation element, as defined by the SAML 1.1 specification, by which the use to whom the token was issued may be authenticated. |
SubjectConfirmation |
Provides information by which the user to whom the token was issued may be identified. |
A SAML ConfirmationMethod element, as defined by the SAML 1.1 specification, with the value, urn:oasis:names:tc:SAML:1.0:cm:holder-of-key. That value is defined in the SAML 1.1 bindings and signifies that the user to whom the token was issued can be authenticated by his or her possession of a key. A KeyInfo element as defined by the SOAP Message Security 1.1 specification, with information about the key by which the user to whom the token was issued can be authenticated. |
Attribute |
Attributes that the STS endpoint claims apply to the user to whom the token was issued |
The content of any SAML Attribute elements in the SAML token are not constrained by the specification of the FIM Service STS endpoint. However, they are constrained by applications of that endpoint. See Message-Specific Authentication. |
Signature |
Enveloped digital signature of the SAML Assertion element. |
A Signature element as defined by the SOAP Message Security 1.1 specification. |
A sample response from the STS endpoint issuing a requested security token is given here.
Hypothetical response to a request for a security context token, providing the requested token
<s:Envelope
xmlns:s=‘http://www.w3.org/2003/05/soap-envelope'
xmlns:wsa=‘https://schemas.xmlsoap.org/ws/2004/08/addressing'
xmlns:wst=‘https://schemas.xmlsoap.org/ws/2005/02/trust'
xmlns:wsu=‘https://schemas.xmlsoap.org/ws/2002/07/utility'
xmlns:xenc=‘http://www.w3.org/2001/04/xmlenc'
xmlns:dsig='http://www.w3.org/2000/09/xmldsig'
xmlns:saml='urn:oasis:names:tc:SAML:1.0:assertion'
xmlns:secxt='http://docs.oasis-openorg/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
xmlns:secu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
xmlns:wsc=‘https://schemas.microsoft.com/ws/2006/05/context'
xmlns:rm=‘https://schemas.microsoft.com/2006/11/ResourceManagement' >
<s:Header>
<wsa:To>
http://www.woodgrove.com/sender
</wsa:To>
<wsa:Action>
https://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
</wsa:Action>
<wsa:MessageID>
uuid:0000010e-0000-0000-C000-000000000048
</wsa:MessageID>
<wsa:RelatesTo>
uuid:00000000-0000-0000-C000-000000000048
</wsa:RelatesTo>
<wsc:Context>
<wsc:InstanceId>19bc8ea5-27f8-4136-97a2-3699697fd271</wsc:InstanceId>
</wsc:Context>
</s:Header>
<s:Body>
<wst:RequestSecurityTokenResponse>
<wst:TokenType>
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
</wst:TokenType>
<wst:RequestedSecurityToken>
<saml:Assertion
MajorVersion=‘1'
MinorVersion=‘1'
AssertionID=‘_839c3252-a17c-4ada-9a7e-563e2792674b'
Issuer=‘Woodgrove'
IssueInstant=‘2007-03-10T19:34:16.654Z'>
<saml:Conditions
NotBefore=‘2007-03-10T19:29:16.654Z'
NotOnOrAfter=‘2007-03-11T05:34:16.654Z'>
</saml:Conditions>
<saml:Advice/>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
</saml:ConfirmationMethod>
<dsig:KeyInfo>
<xenc:EncryptedKey>
<xenc:EncryptionMethod
Algorithm=‘http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p'>
<dsig:DigestMethod
Algorithm=‘http://www.w3.org/2000/09/xmldsig#sha1'>
</dsig:DigestMethod>
</xenc:EncryptionMethod>
<sdsig:KeyInfo>
<secxt:SecurityTokenReference>
<secxt:KeyIdentifier
ValueType='http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1'>
hMvIhAF+Ptszt/a/Yh72b5Ay8vA=
</secxt:KeyIdentifier>
</secxt:SecurityTokenReference>
</sdsigKeyInfo>
<xenc:CipherData>
<xenc:CipherValue> sWxsecx/N+sBeUm+L2hj2MOwXOu9ZsdmhqygJkZwwFjVcynHhqpCp2Y1DIZysc+BlbYBVnwHHGWG8EsP4f6HyuEAvCkTyf+4ZasQ/YZTn7eGgjCSFvu5hpuWfEIx3Ydgdbu68ThNcMM3u15D/KNqwhxGsk5gU5aCKwelgMBT4=
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</dsig:KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute
AttributeName='authenticationProcess'
AttributeNamespace='https://schemas.microsoft.com/2006/11/IdentityManagement'>
<saml:AttributeValue Type='rm:GUID'>
11111111-1111-1111-1111-111111111111
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<dsig:Signature>
<dsig:SignedInfo>
<dsig:CanonicalizationMethod
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'>
</dsig:CanonicalizationMethod>
<dsig:SignatureMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'>
</dsig:SignatureMethod>
<dsig:Reference
URI='#_839c3252-a17c-4ada-9a7e-563e2792674b'>
<dsig:Transforms>
< dsig:Transform
Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'>
</dsig:Transform>
< dsig:Transform
Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'
</dsig:Transform>
</ dsig:Transforms>
< dsig:DigestMethod
Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'>
</ dsig:DigestMethod>
<dsig:DigestValue>
hoBl5Sjg/LxjMHjgr3DjJ5i6AKE=
</dsig:DigestValue>
</ dsig:Reference>
</ dsig:SignedInfo>
<dsig:SignatureValue>
SGCWX41FTM5/g+OvUKR1uJWfdaf1micKAScX6tSMBkzPwBzBZv+m
qAYETPlmAamvlGxLb2lITPovjpAR9Zt3T3ODBpP8pHQkkxEdE3BcilrHcFL0KCNzIWIry/W4mp9Gxzu5
noFhyAY+83nKTyd8W6Gr+F4qEAzlIMa8e/TDLeY=
</dsig:SignatureValue>
<dsig:KeyInfo>
<secxt:SecurityTokenReference>
<secxt:KeyIdentifier
ValueType='http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1'>
hMvIhAF+Ptszt/a/Yh72b5Ay8vA=
</secxt:KeyIdentifier>
</secxt:SecurityTokenReference>
</dsig:KeyInfo>
</dsig:Signature>
<dsig:Signature>
</saml:Assertion>
</wst:RequestedSecurityToken>
<wst:RequestedAttachedReference>
<secxt:SecurityTokenReference>
<secxt:KeyIdentifier
ValueType='http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID'>
_839c3252-a17c-4ada-9a7e-563e2792674b
</secxt:KeyIdentifier>
</secxt:SecurityTokenReference>
</wst:RequestedAttachedReference>
<wst:RequestedUnattachedReference>
<secxt:SecurityTokenReference>
<secxt:KeyIdentifier
ValueType='http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID'>
_839c3252-a17c-4ada-9a7e-563e2792674b
</secxt:KeyIdentifier>
</secxt:SecurityTokenReference>
</wst:RequestedUnattachedReference>
<wst:RequestedProofToken>
<wst:ComputedKey>
https://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
</ComputedKey>
</wst:RequestedProofToken>
<wst:Entropy>
<wst:BinarySecret
secu:Id='uuid-72856c87-f49d-4ef0-86fe-f4b5affbbcc6-10>
U7Qs2MTieDz4e0lYMlwzzyF8JbcXI7nPNh22A2/hsfY=
</wst:BinarySecret>
</wst:Entropy>
</wst:RequestSecurityTokenResponse>
</s:Body>
</s:Envelope>
Default Endpoint
The default endpoint address is http://Localhost5726/SecurityTokenService/Intranet.
Exceptions
Refer to the WS-Trust specification.
Remarks
The FIM web service only accepts UTF-8 encoding of strings and SOAP messages. Other encodings will be converted to UTF-8 if possible. If an encoding cannot be converted to UTF-8 then the web service will return wxf:InvalidRepresentationFault (see WS-Transfer Extensions for Identity Management Operations specification).