3.2.5.4 Realm Autodiscovery Through HTTP 401 Challenge
When a server receives a request that contains an empty Bearer HTTP Authorization header, the server responds with an HTTP 401 challenge, as specified in [RFC2616] and [RFC2617]. The Bearer WWW-Authenticate header of the HTTP 401 challenge contains the following fields:
client_id. The client's security principal identifier.
realm. The server MAY<1> return this field. This is the source realm of the client.
trusted_issuers. A comma-separated list of all security token issuers the server trusts. The client can then select a security token issuer to request a security token.
For an example of realm autodiscovery through HTTP 401 challenge, see section 4.6.