3.1.4.1 Authentication

The RMS system uses the user's email address as a canonical identifier when specifying identities, rights, and policies. The server MUST authenticate the end user making the client request for the Certify method so that it can retrieve the user's email address from a directory or by other means, and include it in the RAC. The user's email address MUST be included in the RAC. See [RFC822] for the correct format of an email address.

The server SHOULD authenticate the end user making the FindServiceLocationsForUser method so that it can find the appropriate server for the user from the directory.

The server SHOULD<28> also support Microsoft Web Browser Federated Sign-On authentication, as specified in [MS-MWBF]. The client can follow the active client profile for Microsoft Web Browser Federated Sign-On. If Microsoft Web Browser Federated Sign-On authentication is used, the email address of the authenticated user MUST be made available to the server during the Certify request.