4.3.1.2 RequestSecurityToken Example: Request using Certificate Authentication
The following snippet demonstrates the call to the RequestSecurityToken message using <AuthPolicy> "Certificate".
-
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization"> <s:Header> <a:Action s:mustUnderstand="1"> http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep </a:Action> <a:MessageID>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:MessageID> <a:ReplyTo> <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address> </a:ReplyTo> <a:To s:mustUnderstand="1"> https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC </a:To> <wsse:Security s:mustUnderstand="1"> <u:Timestamp> <u:Created>2014-10-16T17:55:13Z</wsu:Created> <!-- Start time in UTC --> <u:Expires>2014-10-16T17:57:13Z </wsu:Expires> <!-- Expiration time in UTC --> </u:Timestamp> <wsse:BinarySecurityToken ValueType= "http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken" EncodingType= "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" xmlns= http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd u:Id="uuid-29801C2F-F26B-46AD-984B-AFAEFB545FF8"> B64EncodedSampleBinarySecurityToken </wsse:BinarySecurityToken> <!--X509v3 Exported Public Cert, B64 Encoded, includes ID reference value to reference --> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig-more#rsa-sha256/>" <Reference URI=""> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256"/> <DigestValue>MessageDigestValue</DigestValue> <!-- Digest value of message using digest method --> </Reference> </SignedInfo> <SignatureValue>SignedMessageBlob</SignatureValue> <!-- Digest value of message signed with the user’s private key using RSA-SHA256 --> <KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="29801C2F-F26B-46AD-984B-AFAEFB545FF8" ValueType="http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-x509-token-profile-1.0#X509"/> <!-- References BinarySecurityToken that contains public key to verify signature --> </wsse:SecurityTokenReference> </KeyInfo> </Signature> </wsse:Security> </s:Header> <s:Body> <wst:RequestSecurityToken> <wst:TokenType> http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken </wst:TokenType> <wst:RequestType> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue </wst:RequestType> <wsse:BinarySecurityToken ValueType="http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"> DER format PKCS#10 certificate request in Base64 encoding Insterted Here </wsse:BinarySecurityToken> <ac:AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization"> <ac:ContextItem Name="UXInitiated"> <ac:Value>true</ac:Value> </ac:ContextItem> <ac:ContextItem Name="ExternalMgmtAgentHint"> <ac:Value>Agent1:Value1</ac:Value> </ac:ContextItem> <ac:ContextItem Name="DomainName"> <ac:Value>mydomain.fabrikam.com</ac:Value> </ac:ContextItem> <ac:ContextItem Name="OSEdition"> <ac:Value> 4</ac:Value> <ac:ContextItem Name="OSVersion"> <ac:Value>10.0.9999.0</ac:Value> </ac:ContextItem> <ac:ContextItem Name="DeviceName"> <ac:Value>MY_WINDOWS_DEVICE</ac:Value> </ac:ContextItem> <ac:ContextItem Name="MAC"> <ac:Value>FF:FF:FF:FF:FF:FF</ac:Value> </ac:ContextItem> <ac:ContextItem Name="MAC"> <ac:Value>CC:CC:CC:CC:CC:CC</ac:Value> </ac:ContextItem> <ac:ContextItem Name="IMEI"> <ac:Value>49015420323756</ac:Value> </ac:ContextItem> <ac:ContextItem Name="IMEI"> <ac:Value>30215420323756</ac:Value> </ac:ContextItem> <ac:ContextItem Name="EnrollmentType"> <ac:Value>Full</ac:Value> </ac:ContextItem> <ac:ContextItem Name="DeviceType"> <ac:Value>CIMClient_Windows</ac:Value> </ac:ContextItem> <ac:ContextItem Name="ApplicationVersion"> <ac:Value>10.0.9999.0</ac:Value> </ac:ContextItem> <ac:ContextItem Name="DeviceID"> <ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value> </ac:ContextItem> <ac:ContextItem Name="EnrollmentData"> <ac:Value>3J4KLJ9SDJFAL93JLAKHJSDFJHAO83HAKSHFLAHSKFNHNPA2934342</ac:Value> </ac:ContextItem> <ac:ContextItem Name="TargetedUserLoggedIn"> <ac:Value>True</ac:Value> </ac:ContextItem> <ac:ContextItem Name="Locale"> <ac:Value>en-us</ac:Value> </ac:ContextItem> <ac:ContextItem Name="HWDevID"> <ac:Value>FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF</ac:Value> </ac:ContextItem> <ac:ContextItem Name="ZeroTouchProvisioning"> <ac:Value>ffffffff-ffff-4fff-afff-ffffffffffff</ac:Value> </ac:ContextItem> <ac:ContextItem Name = "OfflineAutoPilotEnrollmentCorrelator"> <ac:Value>ffffffff-ffff-4fff-afff-ffffffffffff</ac:Value> </ac:ContextItem> <ac:ContextItem Name="NotInOobe"> <ac:Value>True</ac:Value> </ac:ContextItem> </ac:AdditionalContext> </wst:RequestSecurityToken> </s:Body> </s:Envelope>