3.2.5.1 Issuing a Security Token by Responding to a wsignin1.0 Request Message

This message is received by a requestor IP/STS from a relying party. The generic model for responding to a wsignin1.0 message is specified to consist of the following steps (from section 3.1.5.4):

• Protocol Activation (section 3.1.5.4.1)

• Message Validation (section 3.1.5.4.2)

• User Identification and Authentication (section 3.1.5.4.3)

• User Attribute Retrieval (section 3.1.5.4.4)

• Claim Mapping (section 3.1.5.4.5)

• SAML Assertion Construction (section 3.1.5.4.6)

• Response Message Processing (section 3.1.5.4.7)

A requestor IP/STS MUST process a wsignin1.0 request message, as described in the preceding sections, with the following exception:

• User identification and authentication

  It is not possible for a requestor IP/STS to authenticate the user by using this protocol with an IP/STS in another security realm because the user account is managed in the security realm of the requestor IP/STS.