This documentation is archived and is not being maintained.

<Integrity> Element

Specifies the digital signature requirements for a SOAP message.

<policyDocument> Element
  <policies> Element
    <Policy> Element (WSE for Microsoft .NET) (1)

<Integrity wsp:Usage="wsp:Required">
  <MessageParts Dialect="..." Signer="...">
  <Algorithm Type="wsse:AlgCanonicalization"
             URI="..." wsp:Preference="..."/>


Attribute Description


Specifies how to process the digital signature requirement. Setting wsp:Usage to wsp:Required specifies that the SOAP message must be signed as specified by the assertion.

Child Elements

Element Description

<Algorithm> Element for <Integrity>

Optional element. Specifies the algorithm to use to compute the digital signature. WSE supports wsse:AlgCanonicalization, wsse:AlgSignature, wsse:AlgDigest, and wsse:AlgTransform.

<MessageParts> Element for <Integrity> Element

Required element. Specifies the portions of the SOAP message that must be signed.

<TokenInfo> Element

Optional element. Specifies the type of security token that must be used to sign the SOAP message.

Parent Elements

Element Description

<Policy> Element (WSE for Microsoft .NET) (1)

Specifies a SOAP message requirement.

The <Integrity> element must contain a <TokenInfo> Element element that contains a security token type supported by WSE.

WSE supports the following values for the <MessageParts> element when used with the <Integrity> elements: wsp:Body(), wsp:Header(anAddressingSoapHeader), wse:UsernameToken(), wse:Addressing(), and wse:Timestamp(). The anAddressingSOAPHeader header is any custom header one level below <soap:Header> or one of the following SOAP headers, as described in the WS-Addressing specification:<Action>, <FaultTo>, <From>, <MessageId>, <Recipient>, <RelatesTo>, <ReplyTo>, and <To>.

When using policy to require that a digital signature exists on incoming SOAP messages, always use the <MessagePredicate> Element element. The <MessagePredicate> element ensures that the XML elements that must be signed exist in the SOAP message. Just adding an <Integrity> Element element to a policy file specifies that a digital signature must exist, if the XML elements specified in the <Integrity> element exist in the SOAP messages. If the SOAP message does not contain the XML elements specified in the <Integrity> element, the SOAP message satisfies the requirements of the policy and is allowed to access the Web service. To remedy this potential problem, add a <MessagePredicate> element specifying the XML elements that must exist in the incoming SOAP message.

The following table lists the possible values for the wsp:Usage attribute, as defined by the WS-Policy specification. WSE only supports the wsp:Required value for the wsp:Usage attribute. That is, only "required" assertions will get their policy enforcers invoked during enforcement.

Value Description


Indicates that SOAP messages must contain a digital signature as specified in the assertion.


Indicates that SOAP messages that are digitally signed as specified in the assertion are explicitly not supported.


Indicates that SOAP messages can be optionally digitally signed as specified in the assertion.


Indicates that SOAP messages must be digitally signed as specified in the assertion.


Indicates that SOAP messages are not processed to determine if they meet this digital signature requirement.

The following code example is a policy file specifying that all SOAP messages sent to the endpoint must have the <Body> element and the To, Action, MessageID, and From headers signed by a Kerberos service ticket issued from the COHOWINERY realm for communication between the current user and the computer named

This code example is designed to demonstrate WSE features and is not intended for production use.

<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="">
  <mappings xmlns:wse="">
    <endpoint uri="">
        <request policy="#policy-c0a22319-6b89-49ff-9b82-bdbac5f04618" />
        <response policy="#policy-c0a22319-6b89-49ff-9b82-bdbac5f04618" />
        <fault policy="#policy-c0a22319-6b89-49ff-9b82-bdbac5f04618" />
  <policies xmlns:wsu="">
    <wsp:Policy wsu:Id="policy-c0a22319-6b89-49ff-9b82-bdbac5f04618"
      xmlns:wsa="" >
      <wssp:Integrity wsp:Usage="wsp:Required"
          <SecurityToken xmlns="">
        <wssp:MessageParts Dialect="">
            wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wsp:Header(wsa:From)