3.4.4.1.1.1.1 RequestSecurityToken using Federated Authentication

Article
11/15/2023

Authentication MUST be implemented for this message as defined in section 3.4. In summary, the following elements and attributes MUST be specified in the SOAP header:

wsse:Security: The <wsse:Security> element MUST be a child of <s:Header>.

wsse:BinarySecurityToken: The <wsse:BinarySecurityToken> element MUST be a child of <wsse:Security> in <s:Header>.

wsse:BinarySecurityToken/attributes/ValueType: The <wsse:BinarySecurityToken> ValueType attribute MUST be "http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken".

wsse:BinarySecurityToken/attributes/EncodingType: The <wsse:BinarySecurityToken> EncodingType attribute MUST be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary".

The following elements and attributes MUST be specified in the SOAP body of the request message.

wst:RequestSecurityToken: The <wst:RequestSecurityToken> element MUST be a child of <s:Body>.

wst:TokenType: The <wst:tokentype> element MUST be a child of <wst:RequestSecurityToken> and the value is "http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/ Enrollment/DeviceEnrollmentToken" (see [WSTrust1.3] section 3.1).

wst:RequestType: The <wst:RequestType> element MUST be a child of <wst:RequestSecurityToken> and the value is "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue" (see [WSTrust1.3] section 3.1).

wsse:BinarySecurityToken: The <wsse:BinarySecurityToken> element MUST be a child of <wst:RequestSecurityToken> and contains a base64-encoded certificate signing request.

wsse:BinarySecurityToken/attributes/ValueType: The <wsse:BinarySecurityToken> ValueType attribute MUST be "http://schemas.microsoft.com/windows/pki/2009/01/ enrollment#PKCS10".

Namespace: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd

The following elements and their values are specified in the SOAP body of the request message:

ac:AdditionalContext: The <ac:AdditionalContext> element MUST be a child of <wst:RequestSecurityToken> (see [MS-WSTEP] section 3.1.4.1.3.3).

ac:ContextItem: One or more <ac:ContextItem> Name attributes MUST be specified as child elements of <ac:AdditionalContext> to represent the device.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "OSEdition".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is set to the decimal value as an int (integer) of the product enumeration defined in section 2.2.9.6.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "OSVersion".

ac:Value: The <ac:Value> element is a child of <ac:AdditionalContext> and the value MUST be a string (UTF-8) in the format int.int.int.int.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DeviceName".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF-8) name of the device.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "EnrollmentType.

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF-8) that MUST be Full or Device.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DeviceType".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF 8) that MUST be WindowsPhone for mobile devices, CIMClient_Windows for desktop devices, or WindowsHandheld for enterprise handheld devices.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "ApplicationVersion".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string that specifies the application version in the format int.int.int.int.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DeviceID".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value specifies the unique device identifier.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "EnrollmentData".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value contains the enrollment data.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "MAC". Multiple MAC addresses are supported if a device has multiple NICs.

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF-8) that specifies the MAC address of the device.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "IMEI".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is an int (integer) that specifies the mobile equipment ID.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "TargetedUserLoggedIn".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is true or false that indicates whether the user is logged in.

The following elements are supported in an implementation-specific manner.<24>

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "Locale".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string that specifies the locale of the device.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "HWDevID".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a 64-hex character length UTF-8 string that specifies the hardware device ID.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "BulkAADJ". This attribute will be present only if the enrollment is taking place as part of Bulk Azure Active Directory Join.

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be the literal string “true” indicating that the enrollment is taking place as part of Bulk Azure Active Directory Join.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "ZeroTouchProvisioning". This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning.

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string that represents a GUID used by Zero Touch Provisioning.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "OfflineAutoPilotEnrollmentCorrelator". This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration.

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string that serves as a correlator from the offline registration initiator to the enrollment server. The string length must be greater than 0 and less than or equal to 100, contains alphanumeric character and single hyphen only, and cannot be started with a hyphen.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "UXInitiated".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a boolean value that indicates whether the enrollment is user-initiated from the Settings page.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "ExternalMgmtAgentHint".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string the agent uses to give hints the enrollment server may need.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DomainName".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string specifying the fully qualified domain name, if the device is domain-joined.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "BootstrapDomainJoin".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a boolean value that indicates whether a hint will be sent when attempting to Domain Join during OOBE. The MDM can use this hint to send down any Domain Join information and connectivity profiles to the domain that it needs.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "PlugandForget".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a boolean value that indicates to the server whether the client is in the PlugandForget scenario and can be managed as if the device has no Azure AD users.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "WhiteGlove".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a boolean value that indicates whether the device is in 'whiteglove' mode in which the server can provision policies and resources prior to the user enrolling into management (with AAD Join).

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "WhiteGloveHybridJoin".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a boolean value that indicates whether the device is in 'whiteglove' mode, in which the server can provision policies and resources prior to the user enrolling into management (with Hybrid AAD Join).

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "NotInOobe".<25>

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a boolean value. When true, indicates to the MDM server that the device is not in the out-of-box-experience (OOBE) mode.

The following elements are supported in an implementation-specific manner where EnrollmentVersion value is 5.0 or higher.<26>

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "AIKAttestationClaim".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a string value. This value contains a base64-encoded claim blob generated by NCryptCreateClaim (see [MSDOCS-NCryptCreateClaim]), with the MDM private key as the subject and the device’s AIK key as the authority. This node will only be present if claim creation succeeds, an attestable crypto provider stored the MDM private key, and the EnrollmentVersion value is 5.0 or higher.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "AIKPub".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a string value. This value contains the base64-encoded AIK public key. This node will only be present if claim creation succeeds, an attestable crypto provider stored the MDM private key, and the EnrollmentVersion value is 5.0 or higher.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "AIKCert".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a string value. This value contains the base64-encoded AIK certificate on the device. This node will only be present if claim creation succeeds, an AIK certificate is present on the device, an attestable crypto provider stored the MDM private key, and the EnrollmentVersion value is 5.0 or higher.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "AadAIKAttestationClaim".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a string value. This value contains a base64-encoded claim blob generated by NCryptCreateClaim, with the AAD private key as the subject and the device’s AIK key as the authority. This node will only be present if claim creation succeeds, an attestable crypto provider stored the MDM private key, the enrollment is using AAD, and the EnrollmentVersion value is 5.0 or higher.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "AADPub".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a string value. This value contains the base64-encoded AAD public key. This node will only be present if claim creation succeeds, an attestable crypto provider stored the MDM private key, the enrollment is using AAD, and the EnrollmentVersion value is 5.0 or higher.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "EmmDeviceId".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a string value. This value contains the EmmDeviceId, as specified by ./Vendor/MSFT/DMClient/Provider/ProviderID/EntDMID CSP node, if the node has been populated.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "RequestVersion".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a string value. This value contains the enrollment version currently being used by the client. This node will only be present with EnrollmentVersion value 5.0 or higher.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "AzureAttestationBlob".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a string value. This value contains a base64-encoded JSON token generated by the Azure Attestation Flow. This node will only be present if claim creation succeeds, an attestable crypto provider stored the MDM private key, the Azure Attestation fields were supplied in the earlier message, and the EnrollmentVersion value is 6.0 or higher. If this tag is present, the AIKAttestationClaim, AIKPub, AIKCert, AadAIKAttestationClaim, and AADPub fields will not be present.

Namespace: http://schemas.xmlsoap.org/ws/2006/12/authorization

3.4.4.1.1.1.1 RequestSecurityToken using Federated Authentication

Additional resources