3.3.4.1.3 Encrypted and Unencrypted Tokens

This section shows the required attributes and elements of the encrypted and unencrypted tokens that are received from the STS.

The following is an encrypted token from an STS. The required elements and values are specified after the encrypted and unencrypted tokens.

 <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="Assertion0" Type="http://www.w3.org/2001/04/xmlenc#Element">
   <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"></EncryptionMethod>
   <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <EncryptedKey>
       <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod>
       <ds:KeyInfo Id="keyinfo">
         <wsse:SecurityTokenReference>
   <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">sUwVAnqj8qmOw5IJ7L0Z7s8fEh4=</wsse:KeyIdentifier>
         </wsse:SecurityTokenReference>
       </ds:KeyInfo>
       <CipherData>
         <CipherValue>mfYn2OYAGs6YaXw5P8L79mmHvHbd3+Of1QWprAmRww/Finek03IEa/r7LlxxGfb7FAA+ScthkQA… ==</CipherValue>
       </CipherData>
     </EncryptedKey>
   </ds:KeyInfo>
   <CipherData>
     <CipherValue>B5B4B/PrdcBj9s8CQxBs6pNNLFlA9VeA4Y5ZIM6VBkDYwX6zmnCmBkOghx9pPrSGxmp2KChWU5QAKHsJ…==</CipherValue>
   </CipherData>
  </EncryptedData>

The following is an encrypted token from an STS. The required elements and values are specified after the token.

 <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="uuid-c3a658d0-d832-43dc-bf57-2bfba93c13e5" IssueInstant="2009-09-24T17:34:01Z" Issuer="uri:WindowsLiveID" MajorVersion="1" MinorVersion="1">
   <saml:Conditions NotBefore="2009-09-24T17:34:01Z" NotOnOrAfter="2009-10-09T17:34:01Z">
     <saml:AudienceRestrictionCondition>
       <saml:Audience>http://fabrikam.com</samlAudience >
     </saml:AudienceRestrictionCondition>
   </saml:Conditions>
   <saml:AuthenticationStatement AuthenticationInstant="2009-09-24T17:34:01Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
     <saml:Subject>
       <saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN">a744b0351351444d3087ca806986b9a0@Live.com</saml:NameIdentifier>
       <saml:SubjectConfirmation>
         <saml:ConfirmationMethod>urn:oasis:names:tc:saml:1.0:cm:holder-of-key</saml:ConfirmationMethod>
         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
   <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
     <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></e:EncryptionMethod>
     <ds:KeyInfo Id="keyinfo">
       <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">sUwVAnqj8qmOw5IJ7L0Z7s8fEh4=</wsse:KeyIdentifier>
       </wsse:SecurityTokenReference>
     </ds:KeyInfo>
     <e:CipherData>
       <e:CipherValue>lRRb1PaUiQrsdA0me/Q4Gt6RVHkDm5ehPNZaDoiQ … ==</e:CipherValue>
     </e:CipherData>
   </e:EncryptedKey>
         </ds:KeyInfo>
       </saml:SubjectConfirmation>
     </saml:Subject>
   </saml:AuthenticationStatement>
   <saml:AttributeStatement>
     <saml:Subject>
       <saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN">a744b0351351444d3087ca806986b9a0@Live.com</saml:NameIdentifier>
     </saml:Subject>
     <saml:Attribute AttributeName="RequestorDomain" AttributeNamespace="http://schemas.microsoft.com/ws/2006/04/identity/claims">
       <saml:AttributeValue>contoso.com</saml:AttributeValue>
     </saml:Attribute>
     <saml:Attribute AttributeName="EmailAddress" AttributeNamespace="http://schemas.xmlsoap.org/claims">
       <saml:AttributeValue>joe@contoso.com</saml:AttributeValue>
     </saml:Attribute>
     <saml:Attribute AttributeName="action" AttributeNamespace="http://schemas.xmlsoap.org/ws/2006/12/authorization/claims">
       <saml:AttributeValue>MSExchange.SharingCalendarFreeBusy</saml:AttributeValue>
     </saml:Attribute>
     <saml:Attribute AttributeName="ThirdPartyRequested" AttributeNamespace="http://schemas.microsoft.com/ws/2006/04/identity/claims">
       <saml:AttributeValue></saml:AttributeValue>
     </saml:Attribute>
     <saml:Attribute AttributeName="AuthenticatingAuthority" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity">
       <saml:AttributeValue>http://contoso.com</saml:AttributeValue>
     </saml:Attribute>
   </saml:AttributeStatement>
   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
     <SignedInfo>
       <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
       <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
       <Reference URI="#uuid-c3a658d0-d832-43dc-bf57-2bfba93c13e5">
         <Transforms>
   <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
   <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
         </Transforms>
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
         <DigestValue>DP2Bg6+h59Uw4zc8DjRNJ4UQAlw=</DigestValue>
       </Reference>
     </SignedInfo>
     <SignatureValue>
       baY0k5dLPuPHKCwTgMATaXKEJL4vX8GeWvaQgCeZchNUbXij1BmPH/Lqu/lHtFavGpLDJ+ukbGeV
       vKWveIGCnre8SCYBUBHlwi0FSw+p+pmFGlRytRG4mkAzEI9dskGnW0RlhfFSVDzvnSBGwrNzSH5o
       Y9hKDVT5emRGeYpDQYc=
     </SignatureValue>
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="keyinfo">
       <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">VbJyIcGL0AjB4/Wm4DqUZux6uUk=</wsse:KeyIdentifier>
       </wsse:SecurityTokenReference>
     </ds:KeyInfo>
   </Signature>
 </saml:Assertion>

The following elements and attributes are required.

  • /saml:Assertation   The AssertationID attribute MUST match the /s:body/wst:RequestSecruityTokenResponse/wst:RequestedAttachedReference/wsse:SecurityTokenReference/wsse:KeyIdentifer element in the response from the STS.

  • /saml:Asserration/saml:Conditions/saml:AudienceRestrictionCondition/saml:Audience   The saml:Audience element MUST contain the same value as the /s:Envelope/s:Body/t:RequestSecurityToken/wsp:AppliesTo/a:EndpointReference/a:Address element in the request.

  • /saml:Assertation/saml:AuthenticationStatement/saml:Subject/​saml:NameIdentifer   The saml:NameIdentifier element MUST be present and MUST be in UPN syntax, but can be any value that the STS wants; however it is the same for each /s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/​saml:AuthenticationStatement/saml:Subject/saml:NameIdentifier element in the request.

  • /saml:Assertation/saml:AuthenticationStatement/saml:Subject/​saml:SubjectConfirmation   The saml:SubjectConfirmation element MUST be present and MUST be in the format specified in [SAML].

  • /saml:Assertation/saml:AttributeStatement/saml:Subject/saml:NameIdentifier   The value of the saml:NameIdentifier element MUST be the same as the /saml:Assertion/saml:AuthenticationStatement/saml:Subject/saml:NameIdentifier element.

  • /saml:Assertion/saml:AttributeStatement/saml:Attribute   The saml:Attribute element MUST contain the attributes of the AttributeValue child element of the Attribute element that are listed in the following table.

Attribute name

AttributeValue element

RequestorDomain

MUST be the same as the /s:Envelope/s:Body/s:RequestSecurityToken/auth:AdditionalContext/auth:ContextItem/auth:Value element in the token request.

EmailAddress

MUST be the same as the /s:Envelope/s:Body/t:RequestSecurityToken/t:OnBehalfOf/saml:Assertion/saml:AttributeStatement/saml:Attribute@[EmailAddress]\AttributeValue element in the token request.

action

MUST be the same as the /s:Envelope/s:Body/t:RequestSecurityToken/t:Claims\auth:ClaimType@[…/Action]\auth:Value element in the token request.

ThirdPartyRequested

MUST NOT contain a value.

AuthenticatingAuthority

MUST contain a domain name previously registered with the AddUri operation, as specified in section 3.2.4.1.

  • /saml:Assertion/Signature   The Signature element MUST be a standard signature, as specified in [XMLDSig2], and MUST sign the entire Assertion element.