2.2.4.1 High-Level Format of wresult Parameter

The syntax for successful wsignin1.0 response message requires that the wresult parameter contain a security token that MUST be encoded as an RSTR element, as specified in [WSTrust] section 6.2. The RSTR MUST contain a RequestedSecurityToken element, as specified in [WSTrust] section 6.2. This child element MUST contain either a security token that is constructed as an Assertion element, as specified in [SAMLCore] section 2.3.2, or encrypted content in an EncryptedData element, as specified in [XMLENC] section 3.4.

If present, the syntax of the Assertion element MUST conform to a subset of the SAML assertion syntax, as specified in section 2.2.4.2.

The RSTR MAY<23> contain an AppliesTo element, as specified in [WSPolicyAtt] section 3.4. If present, this child element MUST contain an EndpointReference element, as specified in [WSA] section 2.2. The body of the Address element, also specified in [WSA] section 2.2, SHOULD specify the resource provider's security realm URI. Note that this data is redundant and MUST duplicate the information in the security token's Audience element, as specified in [SAMLCore] section 2.3.2.1.3.

Implementations that conform to this protocol MAY<24> include other optional elements or attributes in the RSTR. Such elements are informative to the requestor to indicate how the issuer processed the request. For further specification, see the RSTR example in section 4.2.1.