3.1.4.1.1.1 IWindowsDeviceEnrollmentService_RequestSecurityToken_InputMessage Message
A WSDL message containing the request for the RequestSecurityToken WSDL operation.
The SOAP action value is:
-
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep
The IWindowsDeviceEnrollmentService_RequestSecurityToken_InputMessage request message ([WSTrust1.3] section 3.1 RequestSecurityToken) is sent from the client to the server to enroll a certificate and to retrieve provisioning information. The WSDL definition is:
-
<wsdl:message name="IWindowsDeviceEnrollmentService_RequestSecurityToken_InputMessage"> <wsdl:part name="request" element="wst:RequestSecurityToken"/> </wsdl:message>
The IWindowsDeviceEnrollmentService_RequestSecurityToken_InputMessage Message contains the elements that are part of a client request to a server.
The following elements MUST be included in the SOAP header.
wsse:Security: Defined in section 3.1.4.1.2.2.
This element MUST be a child of the <s:Header> element.
wsse:BinarySecurityToken: Defined in section 3.1.4.1.2.3. The ValueType attribute MUST be urn:ietf:params:oauth:token-type:jwt. The EncodingType attribute MUST be http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary. The <wsse:BinarySecurityToken> element MUST contain a JSON Web Token (JWT) [IETFDRAFT-JWT]. The JWT MUST contain the following claims:
Claim
Description
http://schemas.microsoft.com/authorization/claims/PermitDeviceRegistrationClaim.
Whether the security authority has granted permission for the user to register devices.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
The user principal name (UPN) of the user that authenticated to the web service.
This element MUST be a child of the <wsse:Security> element.
The following elements MUST be included in the SOAP body.
wst:RequestSecurityToken: Defined in section 3.1.4.1.2.4.
This element MUST be a child of the <s:Body> element.
wst:RequestType: Defined in section 3.1.4.1.2.5. The <wst:RequestType> element MUST be http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue (see [WSTrust1.3] section 3.1).
This element MUST be a child of the <wst:RequestSecurityToken> element.
wst:TokenType: Defined in section 3.1.4.1.2.6. For the X.509 enrollment extension to WS-Trust, the <wst:TokenType> element MUST be http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken (see [WSTrust1.3] section 3.1).
This element MUST be a child of the <wst:RequestSecurityToken> element.
wsse:BinarySecurityToken: Defined in section 3.1.4.1.2.3. The ValueType attribute MUST be http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10. The EncodingType attribute MUST be http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary. The <wsse:BinarySecurityToken> element MUST contain a base64 encoded PKCS#10 Certificate Request [RFC2986]. The Certificate Request MUST use an RSA public key algorithm with 2048 bit key and use a SHA256WithRSAEncryption signature algorithm and SHA256 hash algorithm.
This element MUST be a child of the <wst:RequestSecurityToken> element.
ac:AdditionalContext: Defined in section 3.1.4.1.2.7. The <ac:AdditionalContext> element MUST contain three <ac:ContextItem> child elements to represent the device type, OS version, and device display name (See [WSFederation] section 9.2).
This element MUST be a child of the <wst:RequestSecurityToken> element.
ac:ContextItem: Defined in section 3.1.4.1.2.8. The request MUST contain the following information in <ac:ContextItem> elements as child elements of the <ac:AdditionalContext> element.
Name attribute
Description
The literal string "DeviceType"
The <ac:Value> element contains the device type.
The literal string:
"ApplicationVersion"
The <ac:Value> element contains the OS version installed on the device.
The literal string: "DeviceDisplayName"
The <ac:Value> element contains the friendly name of the device.