2.2.3 wsignin1.0 Request Message

  • Article

The wsignin1.0 request message is sent to the IP/STS to request that a security token be issued for a specific user to allow access to resources managed by the relying party. For normative descriptions and details on this request message, see [WSFederation1.2] section 13.2.2. This message consists of an HTTP GET with the following query string parameters, formatted as specified in [WSFederation1.2] sections 13.2.1 and 13.2.2:

  • wa: The value MUST be the literal string "wsignin1.0".

  • wtrealm: This parameter MUST be included in a request message to a different security realm from the relying party. If present, this value MUST be a URI that the requestor IP/STS and the relying party have agreed to use to identify the security realm of the relying party in messages to the requestor IP/STS.

  • wreply (optional): This parameter MAY be included in request messages to the same security realm as the relying party. If present, this value MUST be a URL to which responses MUST be directed. The requestor IP/STS MUST validate that this URL belongs to the relying party before directing responses to this URL. <11>

  • wctx (optional): This value is an opaque context that MAY be passed in the request by the relying party.<12>

  • wct (optional): This value is the current time at the relying party that MUST be the string encoding of time, using the XML schema <datetime> time with Coordinated Universal Time (UTC) notation.<13>

  • wauth (optional): This value is a URI that indicates the method of authentication wanted.<14>

  • whr (optional): This value is a URI that uniquely identifies the requestor IP/STS that SHOULD receive the wsignin1.0 request message.<15>

  • client-request-id (optional): This value is a string that is used to specify a request identifier that is used when logging events, including errors or failures that occur while processing the request.<16>

  • login_hint (optional): This value is a string that is used to provide a hint about the login identifier the end-user might use to log in. This value MAY be used to derive the IP/STS that SHOULD receive the wsignin1.0 request message.<17> Actual derivation is implementation specific.

  • username (optional): This value is a string that is used to provide a hint about the login identifier the end-user might use to log in. This value MAY be used to derive the IP/STS that SHOULD receive the wsignin1.0 request message.<18> Actual derivation is implementation specific.

  • domain_hint (optional): This value is a string that MAY be used to derive the IP/STS that SHOULD receive the wsignin1.0 request message.<19> Actual derivation is implementation specific.

  • prompt (optional): This query parameter is used in the same way as the prompt parameter defined in [OIDCCore] section 3.1.2.1, but the only accepted value for this parameter is "login".<20> Any other values are ignored. This parameter is used to interactively prompt the end-user for re-authentication. Error handling for this parameter follows the specification of section 3.1.5.2.

  • mfa_max_age (optional): This value is a string that is used to specify the allowable timespan, in seconds, within which the last multiple factor authentication of the user MUST have been performed by the IP/STS. The AD FS server ignores this parameter unless its ad_fs_behavior_level is AD_FS_BEHAVIOR_LEVEL_3 or higher ([MS-OAPX] section 3.2.1.1).<21> The IP/STS SHOULD have a setting that configures it to issue the claim "http://schemas.microsoft.com/ws/2017/04/identity/claims/multifactorauthenticationinstant" in the security token to the relying party. The value of this claim SHOULD specify the time, in UTC, when the user last performed multiple factor authentication.

Note login_hint and username are aliases that signify the same query parameter and either of these query parameters can be used to provide a hint about the login identifier the end-user might use to log in.