3.4.4.1.1.1.2 RequestSecurityToken using Certificate Authentication

Authentication MUST be implemented for this message as defined in section 3.4. In summary, the following elements and attributes MUST be specified in the SOAP header:

wsse:Security: The <wsse:Security> element MUST be a child of <s:Header>.

u:Timestamp: The <u:Timestamp> element MUST be a child of <wsse:Security> in <s:Header> for certificate authentication.

u:Created: The <u:Created> element MUST be a child of <u:Timestamp> in <s:Header> for certificate authentication. The value is a date/time.

u:Expires: The <u:Expires> element MUST be a child of <u:Timestamp> in <s:Header> for certificate authentication. The value is a date/time.

wsse:BinarySecurityToken: The <wsse:BinarySecurityToken> element MUST be a child of <wsse:Security> in <s:Header>.

wsse:BinarySecurityToken/attributes/ValueType: The <wsse:BinarySecurityToken> ValueType attribute MUST be  "http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken".

wsse:BinarySecurityToken/attributes/EncodingType: The <wsse:BinarySecurityToken> EncodingType attribute MUST be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary".

ds:Signature: The <ds:Signature> element MUST be a child of <wsse:Security> in <s:Header> for certificate authentication.

ds:SignedInfo: The <ds:Signature> element MUST be a child of <ds:Signature> in <s:Header> for certificate authentication.

ds:CanonicalizationMethod: The <ds:CanonicalizationMethod> element MUST be a child of <ds:SignedInfo> in <s:Header> for certificate authentication.

ds:CanonicalizationMethod/attributes/Algorithm: The <ds:CanonicalizationMethod> Algorithm attribute MUST contain "http://www.w3.org/2001/10/xml-exc-c14n#".

ds:SignatureMethod: The <ds:SignatureMethod> element MUST be a child of <ds:SignedInfo> in <s:Header> for certificate authentication.

ds:SignatureMethod/attributes/Algorithm: The <ds:SignatureMethod> Algorithm attribute MUST contain "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256".

ds:Reference: The <ds:Reference> element MUST be a child of <ds:SignedInfo> in <s:Header> for certificate authentication.

ds:Reference/attributes/URI: The <ds:Reference> URI attribute MUST be "".

ds:Transforms: The <ds:Transforms> element MUST be a child of <ds:Reference> in <s:Header> for certificate authentication.

ds:Transform: The <ds:Transform> element MUST be a child of <ds:Reference> in <s:Header> for certificate authentication.

ds:Transform/attributes/Algorithm: The <ds:SignatureMethod> Algorithm attribute MUST be "http://www.w3.org/2000/09/xmldsig#enveloped-signature".

ds:DigestMethod: The <ds:DigestMethod> element MUST be a child of <ds:Reference> in <s:Header> for certificate authentication.

ds:DigestMethod/attributes/Algorithm: The <ds:DigestMethod> Algorithm attribute MUST be "http://www.w3.org/2001/04/xmlenc#sha256".

ds:DigestValue: The <ds:DigestValue> element MUST be a child of <ds:Reference> in <s:Header> for certificate authentication. The value is a string.

ds:SignatureValue: The <ds:SignatureValue> element MUST be a child of <ds:Signature> in <s:Header> for certificate authentication. The value is a string.

ds:KeyInfo: The <ds:KeyInfo> element MUST be a child of <ds:Signature> in <s:Header> for certificate authentication.

wsse:SecurityTokenReference: The <wsse:SecurityTokenReference> element MUST be a child of <ds:KeyInfo> in <ds:Signature> in <s:Header> for certificate authentication.

wsse:Reference: The <wsse:Reference> element MUST be a child of <wsse:SecurityTokenReference> in <s:Header> for certificate authentication.

wsse:Reference/attributes/URI: The <wsse:Reference> URI attribute is a string

wsse:Reference/attributes/ValueType: The <wsse:Reference> ValueType attribute MUST be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509".

Namespace: http://www.w3.org/2000/09/xmldsig

The following elements and attributes are specified in the SOAP body of the request message.

wst:RequestSecurityToken: The <wst:RequestSecurityToken> element MUST be a child of <s:Body>.

wst:TokenType: The <wst:tokentype> element MUST be a child of <wst:RequestSecurityToken> and the value MUST be "http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/ Enrollment/DeviceEnrollmentToken" ([WSTrust1.3] section 3.1).

wst:RequestType: The <wst:RequestType> element MUST be a child of <wst:RequestSecurityToken> and the value MUST be "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue" ([WSTrust1.3] section 3.1).

wsse:BinarySecurityToken: The <wsse:BinarySecurityToken> element MUST be a child of <wst:RequestSecurityToken> and MUST contain a base64-encoded certificate signing request.

wsse:BinarySecurityToken/attributes/ValueType: The <wsse:BinarySecurityToken> ValueType attribute MUST be "http://schemas.microsoft.com/windows/pki/2009/01/ enrollment#PKCS10".

wsse:BinarySecurityToken/attributes/EncodingType: The <wsse:BinarySecurityToken> EncodingType attribute MUST be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary".

The following elements and their values are specified in the SOAP body of the request message.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "OSEdition".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value MUST be set to the decimal value as int of the product enumeration defined in section 2.2.9.6.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "OSVersion".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value MUST be a string (UTF-8) in the format int.int.int.int.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DeviceName".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF-8)name of the device.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "EnrollmentType.

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF-8) that MUST be Full or Device.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DeviceType".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF 8) that MUST be WindowsPhone for mobile devices, CIMClient_Windows for desktop devices, or WindowsHandheld for enterprise handheld devices.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "ApplicationVersion".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value MUST be a string that specifies the application version in the format int.int.int.int.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DeviceID".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value specifies the unique device identifier.

 ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "EnrollmentData"

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value contains the enrollment data.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "MAC". Multiple MAC addresses are supported if a device has multiple NICs.

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF-8) that specifies the MAC address of the device.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "IMEI".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is an int that specifies the mobile equipment ID.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "TargetedUserLoggedIn".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is true or false that indicates whether the user is logged in.

The following elements are supported in an implementation-specific manner.<16>

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "Locale".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string that specifies the locale of the device.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "HWDevID".

ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a 64-hex character length UTF-8 string that specifies the hardware device ID.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "ZeroTouchProvisioning". This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning.

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string that represents a GUID used by Zero Touch Provisioning.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "OfflineAutoPilotEnrollmentCorrelator". This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration.

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string that serves as a correlator from the offline registration initiator to the enrollment server. The string length must be greater than 0 and less than or equal to 100, contains alphanumeric character and single hyphen only, and cannot be started with a hyphen.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "UXInitiated".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a boolean value that indicates whether the enrollment is user-initiated from the Settings page.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "ExternalMgmtAgentHint".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string the agent uses to give hints the enrollment server may need.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DomainName".

ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string specifying the fully qualified domain name, if the device is domain-joined.

ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "NotInOobe".<17>

Ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a boolean value. When true, indicates to the MDM server that the device is not in the out-of-box-experience (OOBE) mode.

Namespace: http://schemas.xmlsoap.org/ws/2006/12/authorization