2.2.2.2 RSTR

A RequestSecurityTokenResponse (RSTR) message returns a token in response to a request from a protocol client. The requested token and supporting state are returned by the protocol server without any intermediate exchanges of trust messages.

The RSTR message body MUST contain exactly one RequestSecurityTokenResponse element, as specified in [WS-Trust1.3] sections 3.2 and 4.4.

The RequestSecurityTokenResponse element MUST be contained in a RequestSecurityTokenResponseCollection element, as specified in [WS-Trust1.3] section 4.3. The RequestSecurityTokenResponseCollection element MUST NOT contain more than one RequestSecurityTokenResponse element.

The RequestedSecurityToken element MUST contain one or more SAML (Security Assertion Markup Language) security assertion.

The RequestedSecurityToken element MUST contain a saml:AuthenticationStatement Assertion as defined in [SAMLCore] with a Subject element that specify the principal that is the subject of the statement. It MUST contain one NameIdentifier element as defined in [SAMLCore] section 2.4.2.2. The principal specified in the NameIdentifier assertion MUST be equal to the claim specified by an administrator as an user identity claim, as specified in section 2.2.1.