4.3.1.2 RequestSecurityToken Example: Request using Certificate Authentication

The following snippet demonstrates the call to the RequestSecurityToken message using <AuthPolicy> "Certificate".

  
 <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
    xmlns:a="http://www.w3.org/2005/08/addressing"
    xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
    xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
   <s:Header>
     <a:Action s:mustUnderstand="1">
       http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep
     </a:Action>
     <a:MessageID>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:MessageID>
     <a:ReplyTo>
       <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
     </a:ReplyTo>
     <a:To s:mustUnderstand="1">
       https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
     </a:To>
     <wsse:Security s:mustUnderstand="1">
       <u:Timestamp>
         <u:Created>2014-10-16T17:55:13Z</wsu:Created>
         <!-- Start time in UTC -->
         <u:Expires>2014-10-16T17:57:13Z </wsu:Expires>
         <!-- Expiration time in UTC -->
       </u:Timestamp>
       <wsse:BinarySecurityToken  ValueType= 
  
 "http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken"
       EncodingType=
       "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
       xmlns=           http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
       u:Id="uuid-29801C2F-F26B-46AD-984B-AFAEFB545FF8">
       B64EncodedSampleBinarySecurityToken
       </wsse:BinarySecurityToken> <!--X509v3 Exported Public Cert, B64 Encoded, includes ID reference value to reference  -->
       <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
         <SignedInfo>
           <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
           <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig-more#rsa-sha256/>"
           <Reference URI="">
             <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256"/>
             <DigestValue>MessageDigestValue</DigestValue>
             <!-- Digest value of message using digest method -->
           </Reference>
         </SignedInfo>
         <SignatureValue>SignedMessageBlob</SignatureValue>
           <!-- Digest value of message signed with the user’s private key using RSA-SHA256 -->
           <KeyInfo>
             <wsse:SecurityTokenReference>
               <wsse:Reference URI="29801C2F-F26B-46AD-984B-AFAEFB545FF8"
                               ValueType="http://docs.oasis-open.org/wss/2004/01/ 
                                   oasis-200401-wss-x509-token-profile-1.0#X509"/>
               <!-- References BinarySecurityToken that contains public key to verify signature -->
             </wsse:SecurityTokenReference>
           </KeyInfo>
         </Signature>
     </wsse:Security>
   </s:Header>
   <s:Body>
     <wst:RequestSecurityToken>
       <wst:TokenType>
         http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
       </wst:TokenType>
       <wst:RequestType>
         http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
       </wst:RequestType>
       <wsse:BinarySecurityToken
          ValueType="http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10"
          EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">
         DER format PKCS#10 certificate request in Base64 encoding Insterted Here
       </wsse:BinarySecurityToken>
       <ac:AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
            <ac:ContextItem Name="UXInitiated">
                <ac:Value>true</ac:Value>
            </ac:ContextItem>
            <ac:ContextItem Name="ExternalMgmtAgentHint">
                <ac:Value>Agent1:Value1</ac:Value>
            </ac:ContextItem>
            <ac:ContextItem Name="DomainName">
                <ac:Value>mydomain.fabrikam.com</ac:Value>
            </ac:ContextItem>
             <ac:ContextItem Name="OSEdition">
                <ac:Value> 4</ac:Value>
             <ac:ContextItem Name="OSVersion">
                <ac:Value>10.0.9999.0</ac:Value>
             </ac:ContextItem>
             <ac:ContextItem Name="DeviceName">
                <ac:Value>MY_WINDOWS_DEVICE</ac:Value>
             </ac:ContextItem>
             <ac:ContextItem Name="MAC">
                <ac:Value>FF:FF:FF:FF:FF:FF</ac:Value>
             </ac:ContextItem>
             <ac:ContextItem Name="MAC">
                <ac:Value>CC:CC:CC:CC:CC:CC</ac:Value>
             </ac:ContextItem>
             <ac:ContextItem Name="IMEI">
                <ac:Value>49015420323756</ac:Value>
             </ac:ContextItem>
             <ac:ContextItem Name="IMEI">
                <ac:Value>30215420323756</ac:Value>
             </ac:ContextItem>
             <ac:ContextItem Name="EnrollmentType">
                <ac:Value>Full</ac:Value>
             </ac:ContextItem>
             <ac:ContextItem Name="DeviceType">
                <ac:Value>CIMClient_Windows</ac:Value>
             </ac:ContextItem>
             <ac:ContextItem Name="ApplicationVersion">
                <ac:Value>10.0.9999.0</ac:Value>
             </ac:ContextItem>
             <ac:ContextItem Name="DeviceID">
                <ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value>
             </ac:ContextItem>
             <ac:ContextItem Name="EnrollmentData">
                <ac:Value>3J4KLJ9SDJFAL93JLAKHJSDFJHAO83HAKSHFLAHSKFNHNPA2934342</ac:Value>
             </ac:ContextItem>
             <ac:ContextItem Name="TargetedUserLoggedIn">
                <ac:Value>True</ac:Value>
             </ac:ContextItem>
             <ac:ContextItem Name="Locale">
                <ac:Value>en-us</ac:Value>
             </ac:ContextItem>
             <ac:ContextItem Name="HWDevID">
                <ac:Value>FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF</ac:Value>
             </ac:ContextItem>
             <ac:ContextItem Name="ZeroTouchProvisioning">
                <ac:Value>ffffffff-ffff-4fff-afff-ffffffffffff</ac:Value>
             </ac:ContextItem>
             <ac:ContextItem Name = "OfflineAutoPilotEnrollmentCorrelator">
                <ac:Value>ffffffff-ffff-4fff-afff-ffffffffffff</ac:Value>
             </ac:ContextItem>
             <ac:ContextItem Name="NotInOobe">
                <ac:Value>True</ac:Value>
             </ac:ContextItem>
           </ac:AdditionalContext>
     </wst:RequestSecurityToken>
   </s:Body>
 </s:Envelope>