Export (0) Print
Expand All

Security Protocols version 1.0

The Web Services Security Protocols provide Web services security mechanisms that cover all existing enterprise messaging security requirements. This section describes the Windows Communication Foundation (WCF) version 1.0 details (implemented in the SecurityBindingElement) for the following Web services security protocols.

Specification/Document

Link

WSS: SOAP Message Security 1.0

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf

WSS: Username Token Profile 1.0

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf

WSS: X509 Token Profile 1.0

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf

WSS: SAML 1.1 Token Profile 1.0

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0.pdf

WSS: SOAP Message Security 1.1

http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf

WSS Username Token Profile 1.1

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf

WSS: X.509 Token Profile 1.1

http://www.oasis-open.org/committees/download.php/16785/wss-v1.1-spec-os-x509TokenProfile.pdf

WSS: Kerberos Token Profile 1.1

http://www.oasis-open.org/committees/download.php/16788/wss-v1.1-spec-os-KerberosTokenProfile.pdf

WSS: SAML 1.1 Token Profile 1.1

http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf

WS-Secure Conversation

http://msdn.microsoft.com/ws/2005/02/ws-secure-conversation/

WS-Trust

http://msdn.microsoft.com/ws/2005/02/ws-trust/

Application Note:

Using WS-Trust for TLS Handshake

To be published

Application Note:

Using WS-Trust for SPNEGO

To be published

Application Note:

Web Services Addressing Endpoint References And Identity

To be published

WS-SecurityPolicy 1.1

(2005/07)

http://msdn.microsoft.com/ws/2005/07/ws-security-policy/

as amended by errata submitted to OASIS WS-SX Technical Committee http://www.oasis-open.org/archives/ws-sx/200512/msg00017.html

WCF, version 1, provides 17 authentication modes that can be used as the basis for Web services security configuration. Each mode is optimized for a common set of deployment requirements, such as:

  • Credentials used to authenticate client and service.

  • Message or transport security protection mechanisms.

  • Message exchange patterns.

Authentication Mode

Client Authentication

Server Authentication

Mode

UserNameOverTransport

User name/password

X509

Transport

CertificateOverTransport

X509

X509

Transport

KerberosOverTransport

Windows

X509

Transport

IssuedTokenOverTransport

Federated

X509

Transport

SspiNegotiatedOverTransport

Windows Sspi Negotiated

Windows Sspi Negotiated

Transport

AnonymousForCertificate

None

X509

Message

UserNameForCertificate

User name/password

X509

Message

MutualCertificate

X509

X509

Message

MutualCertificateDuplex

X509

X509

Message

IssuedTokenForCertificate

Federated

X509

Message

Kerberos

Windows

Windows

Message

IssuedToken

Federated

Federated

Message

SspiNegotiated

Windows Sspi Negotiated

Windows Sspi Negotiated

Message

AnonymousForSslNegotiated

None

X509, TLS-Nego

Message

UserNameForSslNegotiated

User name/password

X509, TLS-Nego

Message

MutualSslNegotiated

X509

X509, TLS-Nego

Message

IssuedTokenForSslNegotiated

Federated

X509, TLS-Nego

Message

Endpoints using such authentication modes can express their security requirements using WS-SecurityPolicy (WS-SP). This document describes the structure of security header and infrastructure messages for each authentication mode and provides examples of policies and messages.

WCF leverages WS-SecureConversation to provide secure sessions support to protect multi-message exchanges between applications. See "Secure Sessions" below for implementation details.

In addition to authentication modes, WCF provides settings to control common protection mechanisms that apply to most message security-based authentication modes, for example: order of signature versus encryption operations, algorithm suites, key derivation, and signature confirmation.

The following prefixes and namespaces are used in this document.

Prefix

Namespace

s

http://www.w3.org/2003/05/soap-envelope

sp

http://schemas.xmlsoap.org/ws/2005/07/securitypolicy

a

http://www.w3.org/2005/08/addressing

wsse

TBD – OASIS WSS 1.0 URI

wsse11

TBD – OASIS WSS 1.1 URI

wsu

TBD – OASIS WSS 1.0 Utility URI

ds

TBD – W3C XMLDSig URI

wst

TBD – WS-Trust 2005/02 URI

wssc

TBD – WS-SecureConversation 2005/02 URI

wsaw

TBD - WS-Addressing policy namespace

wsp

http://schemas.xmlsoap.org/ws/2004/09/policy

mssp

http://schemas.microsoft.com/ws/2005/07/securitypolicy

Web Services Security specifications represent credential as security tokens. WCF supports the following token types:

Bb885188.collapse_all(en-us,VS.110).gif1.1 UsernameToken

WCF follows UsernameToken10 and UsernameToken11 profiles with the following constraints:

R1101 PasswordType attribute on UsernameToken\Password element MUST be either omitted or have value #PasswordText (default).

One can implement the #PasswordDigest using extensibility. It has been observed that #PasswordDigest was often mistaken to be a secure enough password protection mechanism. But #PasswordDigest cannot serve as a substitute for encryption of the UsernameToken. The primary goal of #PasswordDigest is protection against replay attacks. In WCF authentication modes, replay attack threats are mitigated by using message signatures.

B1102 WCF never emits Nonce and Created sub-elements of the UsernameToken.

These sub-elements are intended to help replay detection. WCF uses message signatures instead.

OASIS WSS SOAP Message Security UsernameToken Profile 1.1 (UsernameToken11) introduced key derivation from password feature.

B1103 UsernameToken password MUST not be used for key derivation and therefore for cryptographic operations.

Rationale: passwords are generally considered too weak to be used for cryptographic operations.

Bb885188.collapse_all(en-us,VS.110).gif1.2 X509 Token

WCF supports X509v3 certificates as a credential type and follows X509TokenProfile1.0 and X509TokenProfile1.1 with the following constraints:

R1201 The ValueType attribute on the BinarySecurityToken element must have value #X509v3 when it contains an X509v3 certificate.

WSS X509 Token Profile 1.0 and 1.1 define also #X509PKIPathv1 and #PKCS7 as value types. WCF does not support these types.

R1202 If a SubjectKeyIdentifier (SKI) extension is present in an X509 certificate, wsse:KeyIdentifier should be used for external references to the token, with the ValueType attribute as #X509SubjectKeyIdentifier and its content the base64-encoded value of certificate's SKI extension.

SKI references are widely implemented and proven to be a highly interoperable external reference type.

R1203 An external Reference to X509 Security Token SHOULD NOT use ds:X509IssuerSerial.

R1204 If X509TokenProfile1.1 is in use, an external reference to X509 Security Token SHOULD use the thumbprint introduced by WS-Security 1.1.

WCF supports X509IssuerSerial. However There are interoperability issues with X509IssuerSerial: WCF uses a string to compare two values of X509IssuerSerial. Therefore if one reorders components of the Subject Name and sends to an WCF service a reference to a certificate, it may not be found.

Bb885188.collapse_all(en-us,VS.110).gif1.3 Kerberos Token

WCF supports KerberosTokenProfile1.1 for the purpose of Windows authentication with the following constraints:

R1301 A Kerberos Token must carry the value of a GSS wrapped Kerberos v4 AP_REQ as defined in GSS_API and the Kerberos specification, and must have the ValueType attribute with the value #GSS_Kerberosv5_AP_REQ.

WCF uses GSS wrapped Kerberos AP-REQ, not a bare AP-REQ. This is a security best practice.

Bb885188.collapse_all(en-us,VS.110).gif1.4 SAML v1.1 Token

WCF supports WSS SAML Token profiles 1.0 and 1.1 for SAML v1.1 tokens. It is possible to implement other versions of SAML token formats.

Bb885188.collapse_all(en-us,VS.110).gif1.5 Security Context Token

WCF supports the Security Context Token (SCT) introduced in WS-SecureCoversation. SCT is used to represent a security context established in SecureConversation as well as the binary negotiation protocols TLS and SSPI, described below.

Bb885188.collapse_all(en-us,VS.110).gif2.1 TimeStamp

Timestamp presence is controlled using the IncludeTimestamp property of the SecurityBindingElement class. WCF always serializes wsse:TimeStamp with wsse:Created and wsse:Expires fields. The wsse:TimeStamp is always signed when signing is used.

Bb885188.collapse_all(en-us,VS.110).gif2.2 Protection Order

WCF supports the message protection order "Sign Before Encrypt" and "Encrypt Before Sign" (Security Policy 1.1). "Sign Before Encrypt" is recommended for reasons including: messages protected with Encrypt Before Sign are open to signature substitution attacks unless the WS-Security 1.1 SignatureConfirmation mechanism is used, and a signature over encrypted content makes auditing harder.

Bb885188.collapse_all(en-us,VS.110).gif2.3 Signature Protection

When Encrypt Before Sign is used, it is recommended to protect the signature to prevent brute force attacks for guessing the encrypted content or the signing key (especially when a custom token is used with weak key material).

Bb885188.collapse_all(en-us,VS.110).gif2.4 Algorithm Suite

WCF supports all algorithm suites listed in Security Policy 1.1.

Bb885188.collapse_all(en-us,VS.110).gif2.5 Key Derivation

WCF uses "Key Derivation for symmetric keys" as described in WS-SecureConversation.

Bb885188.collapse_all(en-us,VS.110).gif2.6 Signature Confirmation

Signature confirmation can be as protection from middle man attacks to protect the set of signatures.

Bb885188.collapse_all(en-us,VS.110).gif2.7 Security Header Layout

Each authentication mode describes a certain layout for the security header. Elements within the security header are semi-ordered. To define the order of security header child elements, WS-Security Policy defines the following security header layout modes:

Strict

Items are added to the security header following the numbered layout rules described in Security Policy section 7.7.1 according to a general principle of "declare before use".

Lax

Items are added to the security header in any order that conforms to WSS: SOAP Message Security.

LaxTimestampFirst

Same as Lax except that the first item in the security header must be a wsse:Timestamp

LaxTimestampLast

Same as lax except that the last item in the security header must be a wsse:Timestamp

WCF supports all four modes for security header layout. Security header structure and message examples for authentication modes below follow the "Strict" mode.

This section provides example policies for each authentication mode along with examples showing security header structure in messages exchanged by client and service.

Bb885188.collapse_all(en-us,VS.110).gif6.1 Transport Protection

WCF provides five authentication modes that use secure transport to protect messages; UserNameOverTransport, CertificateOverTransport, KerberosOverTransport, IssuedTokenOverTransport and SspiNegotiatedOverTransport.

These authentication modes are constructed using the transport binding described in SecurityPolicy. For the UserNameOverTransport authentication mode the UsernameToken is a signed supporting token. For the other authentication modes the token appears as a signed endorsing token. Appendix C.1.2 and C.1.3 of SecurityPolicy describe the security header layout in detail. The following example security headers show the Strict layout for a given authentication mode.

The value of the "Derived Keys" property for the tokens in all cases is "false".

The values of the various properties of the transport binding are as follows:

Timestamp: true

Security Header Layout: Strict

Algorithm Suite: Basic256

Bb885188.collapse_all(en-us,VS.110).gif6.1.1 UsernameOverTransport

With this authentication mode, the client authenticates with a Username Token which appears at the SOAP layer as a signed supporting token that is always sent from the initiator to the recipient. The service is authenticated using an X.509 certificate at the transport layer. The binding used is a transport binding.

Policy

<wsp:Policy wsu:Id='UsernameOverTransport_policy' >  <wsp:ExactlyOne>    <wsp:All>      <sp:TransportBinding >        <wsp:Policy>          <sp:TransportToken>            <wsp:Policy>              <sp:HttpsToken RequireClientCertificate='false' />             </wsp:Policy>          </sp:TransportToken>          <sp:AlgorithmSuite>            <wsp:Policy>              <sp:Basic256 />             </wsp:Policy>          </sp:AlgorithmSuite>          <sp:Layout>            <wsp:Policy>              <sp:Strict />             </wsp:Policy>          </sp:Layout>          <sp:IncludeTimestamp />         </wsp:Policy>      </sp:TransportBinding>      <sp:SignedSupportingTokens >        <wsp:Policy>          <sp:UsernameToken sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient' >            <wsp:Policy>              <sp:WssUsernameToken10 />             </wsp:Policy>          </sp:UsernameToken>        </wsp:Policy>      </sp:SignedSupportingTokens>      <sp:Wss11 >        <wsp:Policy>          <sp:MustSupportRefKeyIdentifier />           <sp:MustSupportRefIssuerSerial />           <sp:MustSupportRefThumbprint />           <sp:MustSupportRefEncryptedKey />         </wsp:Policy>      </sp:Wss11>      <sp:Trust10 >        <wsp:Policy>          <sp:MustSupportIssuedTokens />           <sp:RequireClientEntropy />           <sp:RequireServerEntropy />         </wsp:Policy>      </sp:Trust10>      <wsaw:UsingAddressing />     </wsp:All>  </wsp:ExactlyOne></wsp:Policy>

Security Header Layout

Request

<wsse:Security>  <wsu:Timestamp u:Id="_0">  ...  </wsu:Timestamp>  <wsse:UsernameToken ... >  ...  </wsse:UsernameToken></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp u:Id="_0">  ...  </wsu:Timestamp></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gif6.1.2 CertificateOverTransport

With this authentication mode the client authenticates using an X.509 certificate which appears at the SOAP layer as an endorsing supporting token that is always sent from the initiator to the recipient. The service is authenticated using an X.509 certificate at the transport layer. The binding used is a transport binding.

Policy

<wsp:Policy wsu:Id='CertificateOverTransport_policy' >  <wsp:ExactlyOne>    <wsp:All>      <sp:TransportBinding xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy' >        <wsp:Policy>          <sp:TransportToken>            <wsp:Policy>             <sp:HttpsToken RequireClientCertificate='false' />             </wsp:Policy>          </sp:TransportToken>          <sp:AlgorithmSuite>            <wsp:Policy>              <sp:Basic256 />             </wsp:Policy>          </sp:AlgorithmSuite>          <sp:Layout>            <wsp:Policy>              <sp:Strict />             </wsp:Policy>          </sp:Layout>          <sp:IncludeTimestamp />         </wsp:Policy>      </sp:TransportBinding>      <sp:EndorsingSupportingTokens>        <wsp:Policy>          <sp:X509Token sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient' >            <wsp:Policy>              <sp:RequireThumbprintReference />               <sp:WssX509V3Token10 />             </wsp:Policy>          </sp:X509Token>          <sp:SignedParts>            <sp:Header Name='To' Namespace='http://www.w3.org/2005/08/addressing' />           </sp:SignedParts>        </wsp:Policy>      </sp:EndorsingSupportingTokens>      <sp:Wss11>        <wsp:Policy>          <sp:MustSupportRefKeyIdentifier />           <sp:MustSupportRefIssuerSerial />           <sp:MustSupportRefThumbprint />           <sp:MustSupportRefEncryptedKey />         </wsp:Policy>      </sp:Wss11>      <sp:Trust10>        <wsp:Policy>          <sp:MustSupportIssuedTokens />           <sp:RequireClientEntropy />           <sp:RequireServerEntropy />         </wsp:Policy>      </sp:Trust10>      <wsaw:UsingAddressing />     </wsp:All>  </wsp:ExactlyOne></wsp:Policy>

Security Header Layout

Request

<wsse:Security s:mustUnderstand="1">  <wse:Timestamp u:Id="_0">  ...  </wse:Timestamp>  <wsse:BinarySecurityToken>  ...  </wsse:BinarySecurityToken>  <ds:Signature>  ...  </ds:Signature></wsse:Security>

Response

<o:Security>  <u:Timestamp u:Id="_0">  ...  </u:Timestamp></o:Security>

Bb885188.collapse_all(en-us,VS.110).gif6.1.3 IssuedTokenOverTransport

With this authentication mode the client does not authenticate to the service, as such, but rather presents a token issued by a Security Token Service (STS) and proves knowledge of a shared key. The issued token appears at the SOAP layer as an endorsing supporting token that is always sent from the initiator to the recipient. The service is authenticated using an X.509 certificate at the transport layer. The binding is a transport binding.

Policy

<wsp:Policy wsu:Id='IssuedTokenOverTransport_policy' >  <wsp:ExactlyOne>    <wsp:All>      <sp:TransportBinding >        <wsp:Policy>          <sp:TransportToken>            <wsp:Policy>              <sp:HttpsToken RequireClientCertificate='false' />             </wsp:Policy>          </sp:TransportToken>          <sp:AlgorithmSuite>            <wsp:Policy>              <sp:Basic256 />             </wsp:Policy>          </sp:AlgorithmSuite>          <sp:Layout>            <wsp:Policy>              <sp:Strict />             </wsp:Policy>          </sp:Layout>          <sp:IncludeTimestamp />         </wsp:Policy>      </sp:TransportBinding>      <sp:EndorsingSupportingTokens>        <wsp:Policy>          <sp:IssuedToken sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient' >            <sp:RequestSecurityTokenTemplate>              <wst:KeyType>              http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey              </wst:KeyType>             </sp:RequestSecurityTokenTemplate>            <wsp:Policy>              <sp:RequireInternalReference />             </wsp:Policy>          </sp:IssuedToken>          <sp:SignedParts>            <sp:Header Name='To' Namespace='http://www.w3.org/2005/08/addressing' />           </sp:SignedParts>        </wsp:Policy>      </sp:EndorsingSupportingTokens>      <sp:Wss11>        <wsp:Policy>          <sp:MustSupportRefKeyIdentifier />           <sp:MustSupportRefIssuerSerial />           <sp:MustSupportRefThumbprint />           <sp:MustSupportRefEncryptedKey />         </wsp:Policy>      </sp:Wss11>      <sp:Trust10>        <wsp:Policy>          <sp:MustSupportIssuedTokens />           <sp:RequireClientEntropy />           <sp:RequireServerEntropy />         </wsp:Policy>      </sp:Trust10>      <wsaw:UsingAddressing />     </wsp:All>  </wsp:ExactlyOne></wsp:Policy>

Security Header Layout

Request

<wsse:Security s:mustUnderstand="1" >  <wsu:Timestamp>  ...  </wsu:Timestamp>  <saml:Assertion ...>  ...  </saml:Assertion>  <ds:Signature>  ...  </ds:Signature></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp>  ...  </wsu:Timestamp></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gif6.1.4 KerberosOverTransport

With this authentication mode the client authenticates to the service using a Kerberos ticket. The Kerberos token appears at the SOAP layer as an endorsing supporting token. The service is authenticated using an X.509 certificate at the transport layer. The binding is a transport binding.

Policy

<wsp:Policy wsu:Id='KerberosOverTransport_policy' >  <wsp:ExactlyOne>    <wsp:All>      <sp:TransportBinding>        <wsp:Policy>          <sp:TransportToken>            <wsp:Policy>              <sp:HttpsToken RequireClientCertificate='false' />             </wsp:Policy>          </sp:TransportToken>          <sp:AlgorithmSuite>            <wsp:Policy>              <sp:Basic128 />             </wsp:Policy>          </sp:AlgorithmSuite>          <sp:Layout>            <wsp:Policy>              <sp:Strict />             </wsp:Policy>          </sp:Layout>          <sp:IncludeTimestamp />         </wsp:Policy>      </sp:TransportBinding>      <sp:EndorsingSupportingTokens>        <wsp:Policy>          <sp:KerberosTokensp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Once' >            <wsp:Policy>              <sp:WssGssKerberosV5ApReqToken11 />             </wsp:Policy>          </sp:KerberosToken>          <sp:SignedParts>            <sp:Header Name='To' Namespace='http://www.w3.org/2005/08/addressing' />           </sp:SignedParts>        </wsp:Policy>      </sp:EndorsingSupportingTokens>      <sp:Wss11>        <wsp:Policy>          <sp:MustSupportRefKeyIdentifier />           <sp:MustSupportRefIssuerSerial />           <sp:MustSupportRefThumbprint />           <sp:MustSupportRefEncryptedKey />         </wsp:Policy>      </sp:Wss11>      <sp:Trust10>        <wsp:Policy>          <sp:MustSupportIssuedTokens />           <sp:RequireClientEntropy />           <sp:RequireServerEntropy />         </wsp:Policy>      </sp:Trust10>      <wsaw:UsingAddressing />     </wsp:All>  </wsp:ExactlyOne></wsp:Policy>

Security Header Layout

Request

<wsse:Security s:mustUnderstand="1" >  <wsu:Timestamp u:Id="_0">  ...  </wsu:Timestamp>  <wsse:BinarySecurityToken ValueType="...#GSS_Kerberosv5_AP_REQ">  ...  </wsse:BinarySecurityToken>  <ds:Signature>  ...  </ds:Signature></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp>  ...  </wsu:Timestamp></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gif6.1.5 SspiNegotiatedOverTransport

With this mode a negotiation protocol is used to perform client and server authentication. Kerberos is used if possible, otherwise NTLM. The resulting SCT appears at the SOAP layer as an endorsing supporting token that is always sent from initiator to recipient. The service is additionally authenticated at the transport layer by an X.509 certificate. The binding used is a transport binding. "SPNEGO" (negotiation) describes how WCF uses SSPI binary negotiation protocol with WS-Trust. Security header examples in this section are after the SCT has been established through the SPNEGO handshake.

Policy

<wsp:Policy wsu:Id='SspiNegotiatedOverTransport_policy' >  <wsp:ExactlyOne>    <wsp:All>      <sp:TransportBinding>        <wsp:Policy>          <sp:TransportToken>            <wsp:Policy>              <sp:HttpsToken RequireClientCertificate='false' />             </wsp:Policy>          </sp:TransportToken>          <sp:AlgorithmSuite>            <wsp:Policy>              <sp:Basic256 />             </wsp:Policy>          </sp:AlgorithmSuite>          <sp:Layout>            <wsp:Policy>              <sp:Strict />             </wsp:Policy>          </sp:Layout>          <sp:IncludeTimestamp />         </wsp:Policy>      </sp:TransportBinding>      <sp:EndorsingSupportingTokens>        <wsp:Policy>          <sp:SpnegoContextToken sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient' >            <wsp:Policy />           </sp:SpnegoContextToken>          <sp:SignedParts>            <sp:Header Name='To' Namespace='http://www.w3.org/2005/08/addressing' />           </sp:SignedParts>        </wsp:Policy>      </sp:EndorsingSupportingTokens>      <sp:Wss11>        <wsp:Policy>          <sp:MustSupportRefKeyIdentifier />           <sp:MustSupportRefIssuerSerial />           <sp:MustSupportRefThumbprint />           <sp:MustSupportRefEncryptedKey />         </wsp:Policy>      </sp:Wss11>      <sp:Trust10>        <wsp:Policy>          <sp:MustSupportIssuedTokens />           <sp:RequireClientEntropy />           <sp:RequireServerEntropy />         </wsp:Policy>      </sp:Trust10>      <wsaw:UsingAddressing />     </wsp:All>  </wsp:ExactlyOne></wsp:Policy>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples

Once the Security Context Token is established through SPNEGO handshake using WS-Trust Binary Negotiation, the application messages have security headers with the following structure.

Request

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <wssc:SecurityContextToken u:Id="uuid-2202746a-7725-453d-8747-809cb718dab0-29" >  ...  </wssc:SecurityContextToken>  <ds:Signature>  ...  </ds:Signature></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp u:Id="_0">  ...  </wsu:Timestamp></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gif6.2 Using X.509 Certificates for Service Authentication

This section describes the following authentication modes: MutualCertificate WSS1.0, Mutual CertificateDuplex, MutualCertificate WSS1.1, AnonymousForCertificate, UserNameForCertificate and IssuedTokenForCertificate.

Bb885188.collapse_all(en-us,VS.110).gif6.2.1 MutualCertificate WSS1.0

With this authentication mode the client authenticates using an X.509 certificate which appears at the SOAP layer as the initiator token. The service is also authenticated using an X.509 certificate.

The binding used is an asymmetric binding with the following property values:

Initiator Token: the client’s X.509 certificate, with inclusion mode set to …/IncludeToken/AlwaysToRecipient

Recipient Token: Server’s X.509 Certificate, with inclusion mode is set …/IncludeToken/Never

Token Protection: False

Entire Header And Body Signatures: True

Protection Order: SignBeforeEncrypt

Encrypt Signature: True

Policy

<wsp:Policy wsu:Id='MutualCertificate_WSS10_policy' >  <wsp:ExactlyOne>    <wsp:All>      <sp:AsymmetricBinding>        <wsp:Policy>          <sp:InitiatorToken>            <wsp:Policy>              <sp:X509Token sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient' >                <wsp:Policy>                  <sp:WssX509V3Token10 />                 </wsp:Policy>              </sp:X509Token>            </wsp:Policy>          </sp:InitiatorToken>          <sp:RecipientToken>            <wsp:Policy>              <sp:X509Token sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never' >                <wsp:Policy>                  <sp:WssX509V3Token10 />                 </wsp:Policy>              </sp:X509Token>            </wsp:Policy>          </sp:RecipientToken>          <sp:AlgorithmSuite>            <wsp:Policy>              <sp:Basic256 />             </wsp:Policy>          </sp:AlgorithmSuite>          <sp:Layout>            <wsp:Policy>              <sp:Strict />             </wsp:Policy>          </sp:Layout>          <sp:IncludeTimestamp />           <sp:EncryptSignature />           <sp:OnlySignEntireHeadersAndBody />         </wsp:Policy>      </sp:AsymmetricBinding>      <sp:Wss10>        <wsp:Policy>          <sp:MustSupportRefKeyIdentifier />           <sp:MustSupportRefIssuerSerial />         </wsp:Policy>      </sp:Wss10>      <sp:Trust10>        <wsp:Policy>          <sp:MustSupportIssuedTokens />           <sp:RequireClientEntropy />           <sp:RequireServerEntropy />         </wsp:Policy>      </sp:Trust10>      <wsaw:UsingAddressing />     </wsp:All>  </wsp:ExactlyOne></wsp:Policy>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: SignBeforeEncrypt, EncryptSignature

Request

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <wsse:BinarySecurityToken>  ...  </wsse:BinarySecurityToken>  <xenc:EncryptedKey>  ...    <xenc:ReferenceList>    ...    </xenc:ReferenceList>  </xenc:EncryptedKey>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp u:Id="_0">  ...  </wsu:Timestamp>  <xenc:EncryptedKey>  ...    <xenc:ReferenceList>    ...    </xenc:ReferenceList>  </xenc:EncryptedKey>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Security Header Examples: EncryptBeforeSign

Request

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <wsse:BinarySecurityToken>  ...  </wsse:BinarySecurityToken>  <xenc:EncryptedKey>  ...  </xenc:EncryptedKey>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <xenc:EncryptedKey>  ...  </xenc:EncryptedKey>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gif6.2.2 MutualCertificateDuplex

With this authentication mode the client authenticates using an X.509 certificate which appears at the SOAP layer as the initiator token. The service is also authenticated using an X.509 certificate.

The binding used is an asymmetric binding with the following property values:

Initiator Token: Client’s X509 Certificate, inclusion mode is set to …/IncludeToken/AlwaysToRecipient

Recipient Token: Server’s X509 Certificate, inclusion mode is set to …/IncludeToken/AlwaysToInitiator

Token Protection: False

Entire Header And Body Signatures: True

Protection Order: SignBeforeEncrypt

Encrypt Signature: True

Policy

<wsp:Policy wsu:Id='MutualCertificateDuplex_policy' >  <wsp:ExactlyOne>    <wsp:All>      <sp:AsymmetricBinding>        <wsp:Policy>          <sp:InitiatorToken>            <wsp:Policy>              <sp:X509Token sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient' >                <wsp:Policy>                  <sp:WssX509V3Token10 />                 </wsp:Policy>              </sp:X509Token>            </wsp:Policy>          </sp:InitiatorToken>          <sp:RecipientToken>            <wsp:Policy>              <sp:X509Token sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToInitiator' >                <wsp:Policy>                  <sp:WssX509V3Token10 />                 </wsp:Policy>              </sp:X509Token>            </wsp:Policy>          </sp:RecipientToken>          <sp:AlgorithmSuite>            <wsp:Policy>              <sp:Basic256 />             </wsp:Policy>          </sp:AlgorithmSuite>          <sp:Layout>            <wsp:Policy>              <sp:Strict />             </wsp:Policy>          </sp:Layout>          <sp:IncludeTimestamp />           <sp:EncryptSignature />           <sp:OnlySignEntireHeadersAndBody />         </wsp:Policy>      </sp:AsymmetricBinding>      <sp:Wss10>        <wsp:Policy>          <sp:MustSupportRefKeyIdentifier />           <sp:MustSupportRefIssuerSerial />         </wsp:Policy>      </sp:Wss10>      <sp:Trust10>        <wsp:Policy>          <sp:MustSupportIssuedTokens />           <sp:RequireClientEntropy />           <sp:RequireServerEntropy />         </wsp:Policy>      </sp:Trust10>      <wsaw:UsingAddressing />     </wsp:All>  </wsp:ExactlyOne></wsp:Policy>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: SignBeforeEncrypt, EncryptSignature

Request and Response

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <wsse:BinarySecurityToken>  ...  </wsse:BinarySecurityToken>  <xenc:EncryptedKey>  ...    <xenc:ReferenceList>    ...    </xenc:ReferenceList>  </xenc:EncryptedKey>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: EncryptBeforeSign

Request and Response

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <wsse:BinarySecurityToken>  ...  </wsse:BinarySecurityToken>  <xenc:EncryptedKey>  ...  </xenc:EncryptedKey>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gif6.2.3 Using SymmetricBinding with X.509 Service Authentication

"WSS10" provided limited support for scenarios with X509 tokens. For example, there was no way to provide signature and encryption protection for messages using only service X509 token. "WSS11" introduced the usage of EncryptedKey as a symmetric token. Now a temporary key encrypted for the service's X.509 certificate could be used for both request and response messages protection. The authentication modes described in the section 6.4 below use this pattern.

WS-SecurityPolicy describes this pattern using SymmetricBinding with Service X509 token as the protection token.

Authentication modes AnonymousForCertificate, UsernameForCertificate, MutualCertificate WSS11 and IssuedTokenForCertificate all use a similar instance of sp:SymmetricBinding with the following property values:

Protection Token: Server’s X509 Certificate, inclusion mode is set to .../IncludeToken/Never
Token Protection: False

Entire Header And Body Signatures: True

Protection Order: SignBeforeEncrypt

Encrypt Signature: True

The above authentication modes only differ by the supporting tokens they use. AnonymousForCertificate does not have any supporting tokens, MutualCertificate WSS 1.1 has the client’s X509 certificate as an endorsing supporting tokens, UserNameForCertificate has a UserName Token as a signed supporting token and IssuedTokenForCertificate has the issued token as an endorsing supporting token.

Policy

Symmetric Binding

<wsp:Policy wsu:Id='SymmetricCert_policy' >  <wsp:ExactlyOne>    <wsp:All>      <sp:SymmetricBinding>        <wsp:Policy>          <sp:ProtectionToken>            <wsp:Policy>              <sp:X509Token sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never' >                <wsp:Policy>                  <sp:RequireDerivedKeys />                   <sp:RequireThumbprintReference />                   <sp:WssX509V3Token10 />                 </wsp:Policy>              </sp:X509Token>            </wsp:Policy>          </sp:ProtectionToken>          <sp:AlgorithmSuite>            <wsp:Policy>              <sp:Basic256 />             </wsp:Policy>          </sp:AlgorithmSuite>          <sp:Layout>            <wsp:Policy>              <sp:Strict />             </wsp:Policy>          </sp:Layout>          <sp:IncludeTimestamp />           <sp:EncryptSignature />           <sp:OnlySignEntireHeadersAndBody />        </wsp:Policy>      </sp:SymmetricBinding>      <!-- Supporting Token Assertions appear here -->      ...      <sp:Wss11>        <wsp:Policy>          <sp:MustSupportRefKeyIdentifier />           <sp:MustSupportRefIssuerSerial />           <sp:MustSupportRefThumbprint />           <sp:MustSupportRefEncryptedKey />           <sp:RequireSignatureConfirmation />         </wsp:Policy>      </sp:Wss11>      <sp:Trust10>        <wsp:Policy>          <sp:MustSupportIssuedTokens />           <sp:RequireClientEntropy />           <sp:RequireServerEntropy />         </wsp:Policy>      </sp:Trust10>      <wsaw:UsingAddressing />     </wsp:All>  </wsp:ExactlyOne></wsp:Policy>

Bb885188.collapse_all(en-us,VS.110).gif6.2.4 AnonymousForCertificate

With this authentication mode the client is anonymous and the service is authenticated using an X.509 certificate. The binding used is an instance of symmetric binding as described in 6.4.2.

Policy

See "Policy" in 6.2.3 above for binding details

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: SignBeforeEncrypt, EncryptSignature

Request

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <xenc:EncryptedKey>  ...  </xenc:EncryptedKey>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: EncryptBeforeSign

Request

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <xenc:EncryptedKey>  ...  </xenc:EncryptedKey>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wsse11:SignatureConfirmation />  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gif6.2.5 UserNameForCertificate

With this authentication mode the client authenticates to the service using a Username Token which appears at the SOAP layer as a signed supporting token. The service authenticates to the client using an X.509 certificate. The binding used is a symmetric binding with the protection token being a key generated by the client, encrypted with the public key of the service.

Policy

See "Policy" in 6.2.3 above for binding details

Signed Supporting Token

<sp:SignedSupportingTokens>  <wsp:Policy>    <sp:UsernameToken sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient' >      <wsp:Policy>        <sp:WssUsernameToken10 />       </wsp:Policy>    </sp:UsernameToken>  </wsp:Policy></sp:SignedSupportingTokens>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: SignBeforeEncrypt, EncryptSignature

Request

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <xenc:EncryptedKey>  ...  </xenc:EncryptedKey>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: EncryptBeforeSign

Request

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <xenc:EncryptedKey>  ...  </xenc:EncryptedKey>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <xenc:EncryptedData>  ...  </xenc:EncryptedData>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gif6.2.6 MutualCertificate (WSS 1.1)

With this authentication mode the client authenticates using an X.509 certificate which appears at the SOAP layer as an endorsing supporting token. The service is also authenticated using an X.509 certificate. The binding used is a symmetric binding with the protection token being a key generated by the client, encrypted with the public key of the service.

Policy

See Policy in 6.2.3 for binding details

Endorsing Supporting Token

<sp:EndorsingSupportingTokens>  <wsp:Policy>    <sp:X509Token sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient' >      <wsp:Policy>        <sp:RequireThumbprintReference />         <sp:WssX509V3Token10 />       </wsp:Policy>    </sp:X509Token>  </wsp:Policy></sp:EndorsingSupportingTokens>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: SignBeforeEncrypt, EncryptSignature

Request

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <xenc:EncryptedKey>  ...  </xenc:EncryptedKey>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <wsse:BinarySecurityToken>  ...  </wsse:BinarySecurityToken>  <xenc:EncryptedData>  ...  </xenc:EncryptedData>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <wsse:BinarySecurityToken>  ...  </wsse:BinarySecurityToken>  <xenc:EncryptedData>  ...  </xenc:EncryptedData>  <xenc:EncryptedData>  ...  </xenc:EncryptedData>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: EncryptBeforeSign

Request

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <xenc:EncryptedKey>  ...  </xenc:EncryptedKey>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wsse:BinarySecurityToken>  ...  </wsse:BinarySecurityToken>  <ds:Signature>  ...  </ds:Signature>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <xenc:EncryptedKey>  ...  </xenc:EncryptedKey>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wsse11:SignatureConfirmation />  <wsse11:SignatureConfirmation />  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gif6.2.7 IssuedTokenForCertificate

With this authentication mode the client does not authenticate to the service, as such, but instead presents a token issued by a STS and proves knowledge of a shared key. The issued token appears at the SOAP layer as an endorsing supporting token. The service authenticates to the client using an X.509 certificate. The binding used is a symmetric binding with the protection token being a key generated by the client, encrypted with the public key of the service.

Policy

See Policy in 6.2.3 above for binding details

Endorsing Supporting Token

<sp:EndorsingSupportingTokens>  <wsp:Policy>    <sp:IssuedToken sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient' >      <sp:RequestSecurityTokenTemplate>        <wst:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey       </wst:KeyType>     </sp:RequestSecurityTokenTemplate>     <wsp:Policy>       <sp:RequireDerivedKeys />        <sp:RequireInternalReference />      </wsp:Policy>   </sp:IssuedToken>  </wsp:Policy></sp:EndorsingSupportingTokens>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: SignBeforeEncrypt, EncryptSignature

Request

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <xenc:EncryptedKey>  ...  </xenc:EncryptedKey>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <saml:Assertion>  ...  </saml:Assertion>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <xenc:EncryptedData>  ...  </xenc:EncryptedData>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData>  <xenc:EncryptedData>  ...  </xenc:EncryptedData>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: EncryptBeforeSign

Request

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <xenc:EncryptedKey>  ...  </xenc:EncryptedKey>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <saml:Assertion>  ...  </saml:Assertion>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <ds:Signature>  ...  </ds:Signature>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp u:Id="_0">
  ...  </wsu:Timestamp>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wssc:DerivedKeyToken>  ...  </wssc:DerivedKeyToken>  <wsse11:SignatureConfirmation />  <wsse11:SignatureConfirmation />  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

With this authentication mode the client authenticates to the service using a Kerberos ticket. That same ticket also provides server authentication. The binding used is a symmetric binding with the following properties;

Protection Token: Kerberos Ticket, inclusion mode is set to .../IncludeToken/Once
Token Protection: False

Entire Header And Body Signatures: True

Protection Order: SignBeforeEncrypt

Encrypt Signature: True

Policy

<wsp:Policy wsu:Id='Kerberos_policy' >  <wsp:ExactlyOne>    <wsp:All>      <sp:SymmetricBinding>        <wsp:Policy>          <sp:ProtectionToken>            <wsp:Policy>              <sp:KerberosToken sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Once' >                <wsp:Policy>                  <sp:RequireDerivedKeys />                   <sp:WssGssKerberosV5ApReqToken11 />                 </wsp:Policy>              </sp:KerberosToken>            </wsp:Policy>          </sp:ProtectionToken>          <sp:AlgorithmSuite>            <wsp:Policy>              <sp:Basic128 />             </wsp:Policy>          </sp:AlgorithmSuite>          <sp:Layout>            <wsp:Policy>              <sp:Strict />             </wsp:Policy>          </sp:Layout>          <sp:IncludeTimestamp />           <sp:EncryptSignature />           <sp:OnlySignEntireHeadersAndBody />         </wsp:Policy>      </sp:SymmetricBinding>      <sp:Wss11>        <wsp:Policy>          <sp:MustSupportRefKeyIdentifier />           <sp:MustSupportRefIssuerSerial />           <sp:MustSupportRefThumbprint />           <sp:MustSupportRefEncryptedKey />         </wsp:Policy>      </sp:Wss11>      <sp:Trust10>        <wsp:Policy>          <sp:MustSupportIssuedTokens />           <sp:RequireClientEntropy />           <sp:RequireServerEntropy />         </wsp:Policy>      </sp:Trust10>      <wsaw:UsingAddressing />     </wsp:All>  </wsp:ExactlyOne></wsp:Policy>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: SignBeforeEncrypt, EncryptSignature

Request

<wsse:Security s:mustUnderstand="1">  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsse:BinarySecurityToken>  ...  </wsse:BinarySecurityToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Response

<wsse:Security s:mustUnderstand="1">  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>  

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: EncryptBeforeSign

Request

<wsse:Security>TBD</wsse:Security>

Response

<wsse:Security>TBD</wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gif6.4 IssuedToken

With this authentication mode the client does not authenticate to the service, as such, rather the client presents a token issued by an STS and proves knowledge of a shared key. The service is not authenticated to the client, as such, instead the STS encrypts the shared key as part of the issued token such that only the service can decrypt the key. The binding used is as symmetric binding with the following properties;

Protection Token: Issued Token, inclusion mode is set to .../IncludeToken/AlwaysToRecipient
Token Protection: False

Entire Header And Body Signatures: True

Protection Order: SignBeforeEncrypt

Encrypt Signature: True

Policy

<wsp:Policy wsu:Id='CustomBinding_ISimple3_policy' >  <wsp:ExactlyOne>    <wsp:All>      <sp:SymmetricBinding>        <wsp:Policy>          <sp:ProtectionToken>            <wsp:Policy>              <sp:IssuedToken sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient' >                <sp:RequestSecurityTokenTemplate>                  <wst:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey                  </wst:KeyType>                 </sp:RequestSecurityTokenTemplate>                <wsp:Policy>                  <sp:RequireDerivedKeys />                   <sp:RequireInternalReference />                 </wsp:Policy>              </sp:IssuedToken>            </wsp:Policy>          </sp:ProtectionToken>          <sp:AlgorithmSuite>            <wsp:Policy>              <sp:Basic256 />             </wsp:Policy>          </sp:AlgorithmSuite>          <sp:Layout>            <wsp:Policy>              <sp:Strict />             </wsp:Policy>          </sp:Layout>          <sp:IncludeTimestamp />           <sp:EncryptSignature />           <sp:OnlySignEntireHeadersAndBody />         </wsp:Policy>      </sp:SymmetricBinding>      <sp:Wss11>        <wsp:Policy>          <sp:MustSupportRefKeyIdentifier />           <sp:MustSupportRefIssuerSerial />           <sp:MustSupportRefThumbprint />           <sp:MustSupportRefEncryptedKey />         </wsp:Policy>      </sp:Wss11>      <sp:Trust10>        <wsp:Policy>          <sp:MustSupportIssuedTokens />           <sp:RequireClientEntropy />           <sp:RequireServerEntropy />         </wsp:Policy>      </sp:Trust10>      <wsaw:UsingAddressing />     </wsp:All>  </wsp:ExactlyOne></wsp:Policy>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: SignBeforeEncrypt, EncryptSignature

Request

<wsse:Security s:mustUnderstand="1">  <wsu:Timestamp>  ...  </wsu:Timestamp>  <saml:Assertion>  ...  </saml:Assertion>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Response

<wsse:Security s:mustUnderstand="1">  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>  

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: EncryptBeforeSign

Request

<wsse:Security>  <wsu:Timestamp>  ...  </wsu:Timestamp>  <saml:Assertion>  ...  </saml:Assertion>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gif6.5 Using SslNegotiated for Service Authentication

This section describes a group of authentication modes that use a symmetric binding with the protection token being a Security Context Token per WS-SecureConversation (WS-SC) whose key value is negotiated by executing the TLS protocol over WS-Trust (WS-T) RST/RSTR messages. Details of the TLS handshake implementation using WS-Trust are described in TLSNEGO. Here in the message examples we will assume that SCT with an associated security context is already established through a handshake.

The binding used is a symmetric binding with the following properties;

Protection Token: SslContextToken, inclusion mode is set to .../IncludeToken/Never
Token Protection: False

Entire Header And Body Signatures: True

Protection Order: SignBeforeEncrypt

Encrypt Signature: True

Bb885188.collapse_all(en-us,VS.110).gif6.5.1 Policy for SslNegotiated service authentication

Policy for all authentication modes in this section are similar and differ only by specific signed supporting or endorsing tokens used.

<wsp:Policy wsu:Id='SslNegotiated_policy' >  <wsp:ExactlyOne>    <wsp:All>      <sp:SymmetricBinding>        <wsp:Policy>          <sp:ProtectionToken>            <wsp:Policy>              <mssp:SslContextToken sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient' />                <wsp:Policy>                  <sp:RequireDerivedKeys />                 </wsp:Policy>              </mssp:SslContextToken>            </wsp:Policy>          </sp:ProtectionToken>          <sp:AlgorithmSuite>            <wsp:Policy>              <sp:Basic256 />             </wsp:Policy>          </sp:AlgorithmSuite>          <sp:Layout>            <wsp:Policy>              <sp:Strict />             </wsp:Policy>          </sp:Layout>          <sp:IncludeTimestamp />           <sp:EncryptSignature />           <sp:OnlySignEntireHeadersAndBody />         </wsp:Policy>      </sp:SymmetricBinding>      <!-- Supporting token assertions go here -->      ..      <sp:Wss11>         <wsp:Policy>          <sp:MustSupportRefKeyIdentifier />           <sp:MustSupportRefIssuerSerial />           <sp:MustSupportRefThumbprint />           <sp:MustSupportRefEncryptedKey />         </wsp:Policy>      </sp:Wss11>      <sp:Trust10>        <wsp:Policy>          <sp:MustSupportIssuedTokens />           <sp:RequireClientEntropy />           <sp:RequireServerEntropy />         </wsp:Policy>      </sp:Trust10>      <wsaw:UsingAddressing />     </wsp:All>  </wsp:ExactlyOne></wsp:Policy>

Bb885188.collapse_all(en-us,VS.110).gif6.5.2 AnonymousForSslNegotiated

With this authentication mode the client is anonymous and the service is authenticated using an X.509 certificate. The binding used is an instance of symmetric binding as described in 6.5.1 above.

Policy

See Policy in 6.5.1 above for binding details.

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: SignBeforeEncrypt, EncryptSignature

Request

<wsse:Security s:mustUnderstand="1">  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:SecurityContextToken>  ...  </wsc:SecurityContextToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Response

<wsse:Security s:mustUnderstand="1">  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>  

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: EncryptBeforeSign

Request

<wsse:Security>  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:SecurityContextToken>  ...  </wsc:SecurityContextToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gif6.5.3 UserNameForSslNegotiated

With this authentication mode the client is authenticates using a Username Token which appears at the SOAP layer as a signed supporting token. The service is authenticated using an X.509 certificate. The binding used is an instance of symmetric binding as described in 6.5.1.

Policy

See section 6.5.1 above for binding details

Signed Supporting Token

<sp:SignedSupportingTokens>  <wsp:Policy>    <sp:UsernameToken sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient' >      <wsp:Policy>        <sp:WssUsernameToken10 />       </wsp:Policy>    </sp:UsernameToken>  </wsp:Policy></sp:SignedSupportingTokens>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: SignBeforeEncrypt, EncryptSignature

Request

<wsse:Security s:mustUnderstand="1">  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:SecurityContextToken>  ...  </wsc:SecurityContextToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Response

<wsse:Security s:mustUnderstand="1">  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>  

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: EncryptBeforeSign

Request

<wsse:Security>  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:SecurityContextToken>  ...  </wsc:SecurityContextToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:EncryptedData>  ...  </xenc:EncryptedData>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gif6.5.4 IssuedTokenForSslNegotiated

With this authentication mode the client does not authenticate to the service, as such, but instead presents a token issued by an STS and proves knowledge of a shared key. The issued token appears at the SOAP layer as an endorsing supporting token. The service is authenticated using an X.509 certificate. The binding used is an instance of symmetric binding as described in 6.5.1 above.

Policy

See section 6.5.1 above for binding details

Endorsing Supporting Token

<sp:EndorsingSupportingTokens>  <wsp:Policy>    <sp:IssuedToken sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient' >      <sp:RequestSecurityTokenTemplate>        <wst:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey        </wst:KeyType>       </sp:RequestSecurityTokenTemplate>      <wsp:Policy>        <sp:RequireDerivedKeys />         <sp:RequireInternalReference />       </wsp:Policy>    </sp:IssuedToken>  </wsp:Policy></sp:EndorsingSupportingTokens>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: SignBeforeEncrypt, EncryptSignature

Request

<wsse:Security s:mustUnderstand="1">  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:SecurityContextToken>  ...  </wsc:SecurityContextToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <saml:Assertion>  ...  </saml:Assertion>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:EncryptedData>  ...  </xenc:EncryptedData>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Response

<wsse:Security s:mustUnderstand="1">  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData>  <xenc:EncryptedData>  ...  </xenc:EncryptedData>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>  

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: EncryptBeforeSign

Request

<wsse:Security>  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:SecurityContextToken>  ...  </wsc:SecurityContextToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <saml:Assertion>  ...  </saml:Assertion>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <ds:Signature>  ...  </ds:Signature>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsse11:SignatureConfirmation />  <wsse11:SignatureConfirmation />  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gif6.5.5 MutualSslNegotiated

With this authentication mode the client and the service authenticate using X.509 certificates. The binding used is an instance of symmetric binding as described in 6.5.1 above.

Policy

See section 6.5.1 above for binding details

Endorsing Supporting Token

<sp:EndorsingSupportingTokens>  <wsp:Policy>    <sp:X509Token sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient' >      <wsp:Policy>        <sp:RequireThumbprintReference />         <sp:WssX509V3Token10 />       </wsp:Policy>    </sp:X509Token>  </wsp:Policy></sp:EndorsingSupportingTokens>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: SignBeforeEncrypt, EncryptSignature

Request

<wsse:Security s:mustUnderstand="1">  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:SecurityContextToken>  ...  </wsc:SecurityContextToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Response

<wsse:Security s:mustUnderstand="1">  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>  

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: EncryptBeforeSign

Request

<wsse:Security>  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:SecurityContextToken>  ...  </wsc:SecurityContextToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gif6.6 SspiNegotiated

With this authentication mode a negotiation protocol is used to perform client and server authentication. Kerberos is used if possible, otherwise NTLM. The binding used is a symmetric binding with the following properties;

Protection Token: SpnegoContextToken, inclusion mode is set to .../IncludeToken/AlwaysToRecipient
Token Protection: False

Entire Header And Body Signatures: True

Protection Order: SignBeforeEncrypt

Encrypt Signature: True

Policy

<wsp:Policy wsu:Id='CustomBinding_ISimple13_policy' >  <wsp:ExactlyOne>    <wsp:All>      <sp:SymmetricBinding>        <wsp:Policy>          <sp:ProtectionToken>            <wsp:Policy>              <sp:SpnegoContextToken sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient' >                <wsp:Policy>                  <sp:RequireDerivedKeys />                 </wsp:Policy>              </sp:SpnegoContextToken>            </wsp:Policy>          </sp:ProtectionToken>          <sp:AlgorithmSuite>            <wsp:Policy>              <sp:Basic256 />             </wsp:Policy>          </sp:AlgorithmSuite>          <sp:Layout>            <wsp:Policy>              <sp:Strict />             </wsp:Policy>          </sp:Layout>          <sp:IncludeTimestamp />           <sp:EncryptSignature />           <sp:OnlySignEntireHeadersAndBody />         </wsp:Policy>      </sp:SymmetricBinding>      <sp:Wss11>        <wsp:Policy>          <sp:MustSupportRefKeyIdentifier />           <sp:MustSupportRefIssuerSerial />           <sp:MustSupportRefThumbprint />           <sp:MustSupportRefEncryptedKey />         </wsp:Policy>      </sp:Wss11>      <sp:Trust10>        <wsp:Policy>          <sp:MustSupportIssuedTokens />           <sp:RequireClientEntropy />           <sp:RequireServerEntropy />         </wsp:Policy>      </sp:Trust10>      <wsaw:UsingAddressing />     </wsp:All>  </wsp:ExactlyOne></wsp:Policy>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: SignBeforeEncrypt, EncryptSignature

Request

<wsse:Security s:mustUnderstand="1">  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:SecurityContextToken>  ...  </wsc:SecurityContextToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Response

<wsse:Security s:mustUnderstand="1">  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>  

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: EncryptBeforeSign

Request

<wsse:Security>  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:SecurityContextToken>  ...  </wsc:SecurityContextToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Response

<wsse:Security><wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Bb885188.collapse_all(en-us,VS.110).gif6.7 SecureConversation

The binding used is a symmetric binding with the protection token being a SCT per WS-SecureConversation (WS-SC). The SCT is negotiated using WS-Trust (WS-Trust) or WS-SecureConversation (WS-SC) according to a nested binding, which is itself a symmetric binding that uses a negotiation protocol. The negotiation protocol will use Kerberos to perform client and server authentication if possible. If Kerberos cannot be used, it will fall back to NTLM.

Policy

<wsp:Policy wsu:Id='SecureConversation_policy' >  <wsp:ExactlyOne>    <wsp:All>      <sp:SymmetricBinding>        <wsp:Policy>          <sp:ProtectionToken>            <wsp:Policy>              <sp:SecureConversationToken sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient' >                <wsp:Policy>                  <sp:RequireDerivedKeys />                   <sp:BootstrapPolicy>                    <wsp:Policy>                      <sp:SignedParts>                        <sp:Body />                         <sp:Header Name='To' Namespace='http://www.w3.org/2005/08/addressing' />                         <sp:Header Name='From' Namespace='http://www.w3.org/2005/08/addressing' />                         <sp:Header Name='FaultTo' Namespace='http://www.w3.org/2005/08/addressing' />                         <sp:Header Name='ReplyTo' Namespace='http://www.w3.org/2005/08/addressing' />                         <sp:Header Name='MessageID' Namespace='http://www.w3.org/2005/08/addressing' />                         <sp:Header Name='RelatesTo' Namespace='http://www.w3.org/2005/08/addressing' />                         <sp:Header Name='Action' Namespace='http://www.w3.org/2005/08/addressing' />                       </sp:SignedParts>                      <sp:EncryptedParts>                        <sp:Body />                       </sp:EncryptedParts>                      <sp:SymmetricBinding>                        <wsp:Policy>                          <sp:ProtectionToken>                            <wsp:Policy>                              <sp:SpnegoContextToken sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient' >                                <wsp:Policy>                                  <sp:RequireDerivedKeys />                                 </wsp:Policy>                              </sp:SpnegoContextToken>                            </wsp:Policy>                          </sp:ProtectionToken>                          <sp:AlgorithmSuite>                            <wsp:Policy>                              <sp:Basic256 />                             </wsp:Policy>                          </sp:AlgorithmSuite>                          <sp:Layout>                            <wsp:Policy>                              <sp:Strict />                             </wsp:Policy>                          </sp:Layout>                          <sp:IncludeTimestamp />                           <sp:EncryptSignature />                           <sp:OnlySignEntireHeadersAndBody />                         </wsp:Policy>                      </sp:SymmetricBinding>                      <sp:Wss11>                        <wsp:Policy>                          <sp:MustSupportRefKeyIdentifier />                           <sp:MustSupportRefIssuerSerial />                           <sp:MustSupportRefThumbprint />                           <sp:MustSupportRefEncryptedKey />                         </wsp:Policy>                      </sp:Wss11>                      <sp:Trust10>                        <wsp:Policy>                          <sp:MustSupportIssuedTokens />                           <sp:RequireClientEntropy />                           <sp:RequireServerEntropy />                         </wsp:Policy>                      </sp:Trust10>                    </wsp:Policy>                  </sp:BootstrapPolicy>                </wsp:Policy>              </sp:SecureConversationToken>            </wsp:Policy>          </sp:ProtectionToken>          <sp:AlgorithmSuite>            <wsp:Policy>              <sp:Basic256 />             </wsp:Policy>          </sp:AlgorithmSuite>          <sp:Layout>            <wsp:Policy>              <sp:Strict />             </wsp:Policy>          </sp:Layout>          <sp:IncludeTimestamp />           <sp:EncryptSignature />           <sp:OnlySignEntireHeadersAndBody />         </wsp:Policy>      </sp:SymmetricBinding>      <sp:Wss11>        <wsp:Policy>          <sp:MustSupportRefKeyIdentifier />           <sp:MustSupportRefIssuerSerial />           <sp:MustSupportRefThumbprint />           <sp:MustSupportRefEncryptedKey />         </wsp:Policy>      </sp:Wss11>      <sp:Trust10>        <wsp:Policy>          <sp:MustSupportIssuedTokens />           <sp:RequireClientEntropy />           <sp:RequireServerEntropy />         </wsp:Policy>      </sp:Trust10>      <wsaw:UsingAddressing />     </wsp:All>  </wsp:ExactlyOne></wsp:Policy>

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: SignBeforeEncrypt, EncryptSignature

Request

<wsse:Security s:mustUnderstand="1">  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:SecurityContextToken>  ...  </wsc:SecurityContextToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>

Response

<wsse:Security s:mustUnderstand="1">  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <xenc:ReferenceList>  ...  </xenc:ReferenceList>  <xenc:EncryptedData>  ...  </xenc:EncryptedData></wsse:Security>  

Bb885188.collapse_all(en-us,VS.110).gifSecurity Header Examples: EncryptBeforeSign

Request

<wsse:Security>  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:SecurityContextToken>  ...  </wsc:SecurityContextToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>

Response

<wsse:Security>  <wsu:Timestamp>  ...  </wsu:Timestamp>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <wsc:DerivedKeyToken>  ...
  </wsc:DerivedKeyToken>  <ds:Signature>  ...  </ds:Signature>  <xenc:ReferenceList>  ...  </xenc:ReferenceList></wsse:Security>
Show:
© 2014 Microsoft