3.4.4.1.1.1.3 RequestSecurityToken using On-Premise Authentication

  • Article

Authentication MUST be implemented for this message as defined in section 3.4. In summary, the following elements and attributes MUST be specified in the SOAP header:

wsse:Security: The <wsse:Security> element MUST be a child of <s:Header>.

wsse:UsernameToken: The <wsse: UsernameToken> element MUST be a child of <wsse:Security> in <s:Header>.

wsse:UsernameToken/attributes/u:Id: The type MUST be "uuid-cc1ccc1f-2fba-4bcf-b063-ffc0cac77917-4" for on-premise authentication.

wsse:UserName: The <wsse: Username> element MUST be a child of <wsse:UsernameToken> in <s:Header>and the value specifies the user name.

wsse:Password: The <wsse: Password> element MUST be a child of <wsse:UsernameToken> in <s:Header> and the value specifies the user password.

wsse:Password/attributes/Type: This value MUST be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText".

Namespace: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd

The following elements and attributes are specified in the SOAP body of the request message.

wst:RequestSecurityToken: The <wst:RequestSecurityToken> element MUST be a child of <s:Body>.

wst:RequestType: The <wst:RequestType> element MUST be a child of <wst:RequestSecurityToken> and the value MUST be "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue" (see [WSTrust1.3] section 3.1).

wst:TokenType: The <wst:tokentype> element MUST be a child of <wst:RequestSecurityToken> and the value MUST be "http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/ Enrollment/DeviceEnrollmentToken" (see [WSTrust1.3] section 3.1).

wsse:BinarySecurityToken: The <wsse:BinarySecurityToken> element MUST be a child of <wst:RequestSecurityToken> and MUST contain a base64-encoded certificate signing request.

wsse:BinarySecurityToken/attributes/ValueType: The <wsse:BinarySecurityToken> ValueType attribute MUST be "http://schemas.microsoft.com/windows/pki/2009/01/ enrollment#PKCS10".

wsse:BinarySecurityToken/attributes/EncodingType: The <wsse:BinarySecurityToken> EncodingType attribute MUST be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary".

The following elements and their values are specified in the SOAP body of the request message.

ac:AdditionalContext: The <ac:AdditionalContext> element MUST be a child of <wst:RequestSecurityToken> (see [MS-WSTEP] section 3.1.4.1.3.3).

ac:ContextItem: One or more <ac:ContextItem> Name attribute MUST be specified as child elements of < ac:AdditionalContext >.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "OSEdition".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value MUST be set to the decimal value as an int (integer) of the product enumeration defined in section 2.2.9.6.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "OSVersion".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value MUST be a string (UTF-8) in the format int.int.int.int.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DeviceName".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF-8) name of the device.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "EnrollmentType.

ac:Value: The <ac:Value> element is a child of <ac:AdditionalContext> and the value MUST be a string (UTF-8) that MUST be Full or Device.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DeviceType".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF 8) that MUST be WindowsPhone for mobile devices, CIMClient_Windows for desktop devices, or WindowsHandheld for enterprise handheld devices.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "ApplicationVersion".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value MUST be a string that specifies the application version in the format int.int.int.int.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DeviceID".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value specifies the unique device identifier. 

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "EnrollmentData"

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value contains the enrollment data.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "MAC". Multiple MAC addresses are supported if a device has multiple NICs.

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF-8) that specifies the MAC address of the device.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "IMEI".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is an int (integer) that specifies the mobile equipment ID.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "TargetedUserLoggedIn".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is true or false that indicates whether the user is logged in.

The following elements are supported in an implementation-specific manner.<30>

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "Locale".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string that specifies the locale of the device.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "HWDevID".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a 64 hex character length UTF-8 string that specifies the hardware device ID.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "ZeroTouchProvisioning". This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning.

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string that represents a GUID used by Zero Touch Provisioning.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "OfflineAutoPilotEnrollmentCorrelator". This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration.

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string that serves as a correlator from the offline registration initiator to the enrollment server. The string length must be greater than 0 and less than or equal to 100, contains alphanumeric character and single hyphen only, and cannot be started with a hyphen.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "UXInitiated".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a boolean value that indicates whether the enrollment is user-initiated from the Settings page.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "ExternalMgmtAgentHint".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string the agent uses to give hints the enrollment server may need.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DomainName".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string specifying the fully qualified domain name, if the device is domain-joined.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "NotInOobe".<31>

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a boolean value. When true, indicates to the MDM server that the device is not in the out-of-box-experience (OOBE) mode.

The following elements are supported in an implementation-specific manner when the EnrollmentVersion value is 5.0 or higher.<32>

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "AIKAttestationClaim".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a string value. This value contains a base64-encoded claim blob generated by NCryptCreateClaim, with the MDM private key as the subject and the device’s AIK key as the authority. This node will only be present if claim creation succeeds, an attestable crypto provider stored the MDM private key, and the EnrollmentVersion value is 5.0 or higher.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "AIKPub".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a string value. This value contains the base64-encoded AIK public key. This node will only be present if claim creation succeeds, an attestable crypto provider stored the MDM private key, and the EnrollmentVersion value is 5.0 or higher.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "AIKCert".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a string value. This value contains the base64-encoded AIK certificate on the device.  This node will only be present if claim creation succeeds, an AIK certificate is present on the device, an attestable crypto provider stored the MDM private key, and the EnrollmentVersion value is 5.0 or higher.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "AadAIKAttestationClaim".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a string value. This value contains a base64-encoded claim blob generated by NCryptCreateClaim, with the AAD private key as the subject and the device’s AIK key as the authority. -This node will only be present if claim creation succeeds, an attestable crypto provider stored the MDM private key, the enrollment is using AAD, and the EnrollmentVersion value is 5.0 or higher.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "AADPub".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a string value. This value contains the base64-encoded AAD public key. This node will only be present if claim creation succeeds, an attestable crypto provider stored the MDM private key, the enrollment is using AAD, and the EnrollmentVersion value is 5.0 or higher.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "EmmDeviceId".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a string value. This value contains the EmmDeviceId, as specified by ./Vendor/MSFT/DMClient/Provider/ProviderID/EntDMID CSP node, if the node has been populated.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "RequestVersion".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a string value. This value contains the enrollment version currently being used by the client. This node will only be present with EnrollmentVersion value is 5.0 and higher.

Namespace: http://schemas.xmlsoap.org/ws/2006/12/authorization