Message Transmission

The relying party sends a wsignin1.0 request message by returning an HTTP 302 response to the web browser requestor with the Location field set to the URL of the requestor IP/STS.

All the query string parameters required for the protocol MUST be set properly, as specified in section 2.2.3.

The ad_fs_behavior_level abstract data model (ADM) element is defined in [MS-OAPX] section and is hereafter referred to simply as the AD FS behavior level. [MS-OAPX] section also includes information about how the AD FS behavior level relates to product versions. The following are recommended best practices related to the AD FS behavior level:

  • Upon forwarding the wsignin1.0 request, the resource IP/STS SHOULD use only the parameters that are supported by the requestor IP/STS AD FS behavior level. The resource IP/STS can track the requestor IP/STS AD FS behavior level and choose the forwarding behavior accordingly. Behavior-level tracking is implementation specific.

  • If a resource IP/STS that supports the prompt parameter receives the prompt parameter and knows that the requestor IP/STS does not support the prompt parameter, the resource IP/STS SHOULD send a wsignin1.0 request using the protocol-specific parameters (for example, wfresh and wauth) to facilitate a fresh and interactive authentication.

    Note  Support for the prompt parameter depends on the AD FS behavior level and the product version. See section 2.2.3 for support information. If the parameter is not supported by the AD FS server, it is ignored.