3.1.5.2.1 LsRequestSecurityToken Request

As described above in the LsRequestSecurityToken section, when the client is serving as a proxy for an STS in the Requestor STS role described in [MS-MWBF], the client MUST emit an LsRequestSecurityToken request message after it authenticates a new user requesting a security token using the protocol described in [MS-MWBF].

The targetRealmName element MUST be populated by the wtrealm parameter of the [MS-MWBF] request for a security token.

The credentialType and credentials elements are determined by the method used at the client for authenticating the [MS-MWBF] web browser requestor. The client MAY use username and password authentication or SSL client certificate authentication.<6>

If SSL client certificate authentication is used, the credentialTypeUri parameter MUST be "urn:ietf:rfc:2246". If username and password authentication is used, the credentialTypeUri MUST be "urn:oasis:names:tc:SAML:1.0:am:password".

If SSL client certificate authentication is used, the credentials element MUST contain only two values. The first value MUST equal "Certificate". The value of the second string MUST be an X.509 certificate per [WSDL] that is Base64-encoded per [RFC4648].

If user name and password authentication is used, the credential element MUST contain only four values. The value of the first string MUST be Username. The value of the second string MUST be a username for the web browser requestor. The value of the third string MUST be Password. The value of the fourth string MUST be a password for the web browser requestor.

The client MAY specify an identifier for a particular account store to be used by the server when generating claims for the web browser requestor using the accountStoreUri element.<7>

The client MAY specify an [RFC2965] cookie value that is Base64-encoded per [RFC4648] in the cookie element of the request.<8>