3.4.4.1.1.1.2 RequestSecurityToken using Certificate Authentication
Authentication MUST be implemented for this message as defined in section 3.4. In summary, the following elements and attributes MUST be specified in the SOAP header:
wsse:Security: The <wsse:Security> element MUST be a child of <s:Header>.
u:Timestamp: The <u:Timestamp> element MUST be a child of <wsse:Security> in <s:Header> for certificate authentication.
u:Created: The <u:Created> element MUST be a child of <u:Timestamp> in <s:Header> for certificate authentication. The value is a date/time.
u:Expires: The <u:Expires> element MUST be a child of <u:Timestamp> in <s:Header> for certificate authentication. The value is a date/time.
wsse:BinarySecurityToken: The <wsse:BinarySecurityToken> element MUST be a child of <wsse:Security> in <s:Header>.
wsse:BinarySecurityToken/attributes/ValueType: The <wsse:BinarySecurityToken> ValueType attribute MUST be "http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken".
wsse:BinarySecurityToken/attributes/EncodingType: The <wsse:BinarySecurityToken> EncodingType attribute MUST be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary".
ds:Signature: The <ds:Signature> element MUST be a
child of <wsse:Security> in <s:Header> for certificate
authentication.
ds:SignedInfo: The <ds:Signature> element MUST be a child of <ds:Signature> in <s:Header> for certificate authentication.
ds:CanonicalizationMethod: The <ds:CanonicalizationMethod> element MUST be a child of <ds:SignedInfo> in <s:Header> for certificate authentication.
ds:CanonicalizationMethod/attributes/Algorithm: The <ds:CanonicalizationMethod> Algorithm attribute MUST contain "http://www.w3.org/2001/10/xml-exc-c14n#".
ds:SignatureMethod: The <ds:SignatureMethod> element MUST be a child of <ds:SignedInfo> in <s:Header> for certificate authentication.
ds:SignatureMethod/attributes/Algorithm: The <ds:SignatureMethod> Algorithm attribute MUST contain "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256".
ds:Reference: The <ds:Reference> element MUST be a child of <ds:SignedInfo> in <s:Header> for certificate authentication.
ds:Reference/attributes/URI: The <ds:Reference> URI attribute MUST be "".
ds:Transforms: The <ds:Transforms> element MUST be a child of <ds:Reference> in <s:Header> for certificate authentication.
ds:Transform: The <ds:Transform> element MUST be a child of <ds:Reference> in <s:Header> for certificate authentication.
ds:Transform/attributes/Algorithm: The <ds:SignatureMethod> Algorithm attribute MUST be "http://www.w3.org/2000/09/xmldsig#enveloped-signature".
ds:DigestMethod: The <ds:DigestMethod> element MUST be a child of <ds:Reference> in <s:Header> for certificate authentication.
ds:DigestMethod/attributes/Algorithm: The <ds:DigestMethod> Algorithm attribute MUST be "http://www.w3.org/2001/04/xmlenc#sha256".
ds:DigestValue: The <ds:DigestValue> element MUST be a child of <ds:Reference> in <s:Header> for certificate authentication. The value is a string.
ds:SignatureValue: The <ds:SignatureValue> element MUST be a child of <ds:Signature> in <s:Header> for certificate authentication. The value is a string.
ds:KeyInfo: The <ds:KeyInfo> element MUST be a child of <ds:Signature> in <s:Header> for certificate authentication.
wsse:SecurityTokenReference: The <wsse:SecurityTokenReference> element MUST be a child of
<ds:KeyInfo> in <ds:Signature> in <s:Header> for certificate
authentication.
wsse:Reference: The <wsse:Reference>
element MUST be a child of <wsse:SecurityTokenReference> in
<s:Header> for certificate authentication.
wsse:Reference/attributes/URI: The <wsse:Reference> URI attribute is a string
wsse:Reference/attributes/ValueType: The <wsse:Reference> ValueType attribute MUST be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509".
Namespace: http://www.w3.org/2000/09/xmldsig
The following elements and attributes are specified in the SOAP body of the request message.
wst:RequestSecurityToken: The <wst:RequestSecurityToken> element MUST be a child of <s:Body>.
wst:TokenType: The <wst:tokentype> element MUST be a child of <wst:RequestSecurityToken> and the value MUST be "http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/ Enrollment/DeviceEnrollmentToken" ([WSTrust1.3] section 3.1).
wst:RequestType: The <wst:RequestType> element MUST be a child of <wst:RequestSecurityToken> and the value MUST be "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue" ([WSTrust1.3] section 3.1).
wsse:BinarySecurityToken: The <wsse:BinarySecurityToken> element MUST be a child of <wst:RequestSecurityToken> and MUST contain a base64-encoded certificate signing request.
wsse:BinarySecurityToken/attributes/ValueType: The <wsse:BinarySecurityToken> ValueType attribute MUST be "http://schemas.microsoft.com/windows/pki/2009/01/ enrollment#PKCS10".
wsse:BinarySecurityToken/attributes/EncodingType: The <wsse:BinarySecurityToken> EncodingType attribute MUST be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary".
The following elements and their values are specified in the SOAP body of the request message.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "OSEdition".
-
ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value MUST be set to the decimal value as int of the product enumeration defined in section 2.2.9.6.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "OSVersion".
-
ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value MUST be a string (UTF-8) in the format int.int.int.int.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DeviceName".
-
ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF-8)name of the device.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "EnrollmentType.
-
ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF-8) that MUST be Full or Device.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DeviceType".
-
ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF 8) that MUST be WindowsPhone for mobile devices, CIMClient_Windows for desktop devices, or WindowsHandheld for enterprise handheld devices.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "ApplicationVersion".
-
ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value MUST be a string that specifies the application version in the format int.int.int.int.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DeviceID".
-
ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value specifies the unique device identifier.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "EnrollmentData"
-
ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value contains the enrollment data.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "MAC". Multiple MAC addresses are supported if a device has multiple NICs.
-
ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a string (UTF-8) that specifies the MAC address of the device.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "IMEI".
-
ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is an int that specifies the mobile equipment ID.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "TargetedUserLoggedIn".
-
ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is true or false that indicates whether the user is logged in.
-
The following elements are supported in an implementation-specific manner.<16>
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "Locale".
-
ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string that specifies the locale of the device.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "HWDevID".
-
ac:Value: The <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a 64-hex character length UTF-8 string that specifies the hardware device ID.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "ZeroTouchProvisioning". This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning.
-
ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string that represents a GUID used by Zero Touch Provisioning.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "OfflineAutoPilotEnrollmentCorrelator". This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration.
-
ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string that serves as a correlator from the offline registration initiator to the enrollment server. The string length must be greater than 0 and less than or equal to 100, contains alphanumeric character and single hyphen only, and cannot be started with a hyphen.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "UXInitiated".
-
ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a boolean value that indicates whether the enrollment is user-initiated from the Settings page.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "ExternalMgmtAgentHint".
-
ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string the agent uses to give hints the enrollment server may need.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "DomainName".
-
ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and the value is a UTF-8 string specifying the fully qualified domain name, if the device is domain-joined.
-
ac:ContextItem/attributes/Name: The <ac:ContextItem> Name attribute MUST be the literal string "NotInOobe".<17>
-
Ac:Value: If included, this <ac:Value> element MUST be a child of <ac:AdditionalContext> and MUST be a boolean value. When true, indicates to the MDM server that the device is not in the out-of-box-experience (OOBE) mode.
-
-
Namespace: http://schemas.xmlsoap.org/ws/2006/12/authorization