Active Mode Authentication
The Active mode in the WS-Federation protocol is based on SOAP implementation. It uses SOAP message requests to transmit username and password parameters, and returns SOAP responses upon successful authentication. This method is relatively difficult to implement and is generally not recommended.
# Login Process
# Request Specification
POST https://{your_domain}/api/v1/sso/wsfed/{your_app_clientId}/active
# Request Example
# 1. Request Headers
| Parameter Name | Required | Example Value | Description |
|---|---|---|---|
| Content-Type | Yes | application/soap+xml | SOAP 1.2 protocol standard format |
# 2. Body Message
<?xml version='1.0' encoding='UTF-8'?>
<s:Envelope xmlns:s='http://www.w3.org/2003/05/soap-envelope' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:saml='urn:oasis:names:tc:SAML:1.0:assertion' xmlns:wsp='http://schemas.xmlsoap.org/ws/2004/09/policy' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' xmlns:wsa='http://www.w3.org/2005/08/addressing' xmlns:wssc='http://schemas.xmlsoap.org/ws/2005/02/sc' xmlns:wst='http://schemas.xmlsoap.org/ws/2005/02/trust'>
<s:Header>
<wsa:Action s:mustUnderstand='1'>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
<wsa:To s:mustUnderstand='1'>https://{your_domain}/api/v1/sso/wsfed/{your_app_clientId}/active</wsa:To>
<wsa:MessageID>urn:uuid:BCA8CE3D-D522-46E5-85F6-101E8CDFD730</wsa:MessageID>
<wsse:Security>
<wsse:UsernameToken wsu:Id='user'>
<wsse:Username>test_user@test.bccastle.com</wsse:Username>
<wsse:Password>Password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</s:Header>
<s:Body>
<wst:RequestSecurityToken Id='RST0'>
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
<wsp:AppliesTo>
<wsa:EndpointReference>
<wsa:Address>https://login.partner.microsoftonline.cn</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType>
</wst:RequestSecurityToken>
</s:Body>
</s:Envelope>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Request Body Message Description
- Namespace Explanation
| namespace | Address |
|---|---|
| wsa | http://www.w3.org/2005/08/addressing |
| wsse | http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd |
| wsu | http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd |
| wst | http://schemas.xmlsoap.org/ws/2005/02/trust |
- <s:Header> Parameter Explanation
| Parameter Name | Required | Example Value | Description |
|---|---|---|---|
| wsa:Action | Yes | http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue | Protocol Fixed Value |
| wsa:To | Yes | https://{your_domain}/api/v1/sso/wsfed/{your_app_clientId}/active | Must match the Active interface |
| wsa:MessageID | Yes | BCA8CE3D-D522-46E5-85F6-101E8CDFD730 | Random Value |
| wsse:Username | Yes | Username, query IDaaS user based on application configuration | |
| wsse:Password | Yes | User Password | |
| wsu:Created | No | 2023-04-19T02:30:59 | If this value exists, it will be validated to ensure it is before the current time |
| wsu:Expires | No | 2023-04-19T03:30:59 | If this value exists, it will be validated to ensure it is before the current time |
- <s:Body> Parameter Description
| Parameter Name | Required | Example Value | Description |
|---|---|---|---|
| wst:RequestType | Yes | http://schemas.xmlsoap.org/ws/2005/02/trust/Issue | Fixed value |
| wst:TokenType | Yes | urn:oasis:names:tc:SAML:1.0:assertion | Fixed value |
| wsa:Address | Yes | Random value, currently not processed | |
| wst:KeyType | Yes | http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey | Fixed value |
# Response Example
# Successful Return Example
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue</a:Action>
<a:RelatesTo>urn:uuid:BCA8CE3D-D522-46E5-85F6-101E8CDFD730</a:RelatesTo>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2023-04-19T02:30:59</u:Created>
<u:Expires>2023-04-19T02:35:59</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wst:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2023-04-19T02:20:59</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2023-04-19T02:40:59</wsu:Expires>
</wst:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>https://login.partner.microsoftonline.cn</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:RequestedSecurityToken>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="_3435e7b2-b341-4ff7-9bb2-be89df9245b1" Issuer="https://ryan.idaas-test-alpha.bccastle.com" IssueInstant="2023-04-19T02:30:59Z" >
<saml:Conditions NotBefore="2023-04-19T02:20:59Z" NotOnOrAfter="2023-04-19T02:40:59Z" >
<saml:AudienceRestrictionCondition>
<saml:Audience>urn:federation:MicrosoftOnline</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement >
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">test_user@test.bccastle.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="authnmethodsreferences" AttributeNamespace="http://schemas.microsoft.com/claims">
<saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">http://schemas.microsoft.com/claims/multipleauthn</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement AuthenticationInstant="2023-04-19T02:30:59Z">
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">test_user@test.bccastle.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_3435e7b2-b341-4ff7-9bb2-be89df9245b1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xvwfmxXYMBzz1mU8r5vTUWNnFDw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
jijaMvoD7rjZP/IMXo2N78RwBl+gNNIIGkPup/WEGerqEb/9jYbJmMJj+4PV1Mbb+NhJWFZTxsnY
/i/F0leo862tMz0wDBv6mhGna3FvfQT48NR1JFDKX/I4/P5eGkFJYhM7+j6Bk6lD7bxYUewyZAJP
QXV9PFqoEsYKydElBj4yP3JoiDL8llikIo5xSSHaxJn2nEI9ewEGIIuVDZs/ZB0RvIUZpLgOe9/2
2UX+gSRsJlhu2ON2/liCJv3iLzLOGSmQF/YQTSO3KArZ2uJHs6K8phsHZRkvLaYFm9+75E1sttll
zXO/PsYyG6OWPbZi1kamYyaSgfxwaKAO+VrPtQ==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIC2DCCAcCgAwIBAgIGAYcwlcLAMA0GCSqGSIb3DQEBCwUAMC0xKzApBgNVBAMMInJ5YW4uaWRh
YXMtdGVzdC1hbHBoYS5iY2Nhc3RsZS5jb20wHhcNMjMwMzMwMDMzMzUzWhcNMzMwMzMwMDMzNTMz
WjAtMSswKQYDVQQDDCJyeWFuLmlkYWFzLXRlc3QtYWxwaGEuYmNjYXN0bGUuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkVsNRWM+UPDQcHz2VdaTJn22v21TFLkRBqOcQmQJhlBg
1tUgL5zbxO/4OyGDsraTY4e+vjPKcfmJpM/KvNOpjz7HY9EZelW+AWeTFzjg6X5SZMgK8r2hFUXo
vz2V/vBehtqFDJ9TyjyX1WJHMFjixzwkPhSKwCFlfFc0oJaBdAzKh2/MvH6H7K59zFbQd4ylCzXh
R/jFchOuc50EKlTd6wYKW+7xTHVJGe85HkMrOnnKbaJdK0oJH8zNTa3HUlesGRQAj06/EaPCmMiH
336UsEK81dlPSpTiSOJgskBfOb8nwneBs+HCzoRW22CDOxrToVFdv5VRUjerl3FDd89vQwIDAQAB
MA0GCSqGSIb3DQEBCwUAA4IBAQBwk9A3nl4224VMp+aTnDts8z/kQRkxkSFcxWv6MF34wA3pqmCa
3GgBadyhk10goWD8VZKdgYwdjhjyGiMMs+ogYC1YCTkMMlULo4745hINmUtJ//tSMCAj7muirFqG
bD7+m+Ebe3hVmZYD5gEJYuYG7Z4EWEkGNa3WM+oXJvvGtrIpi4AtedZLY5fCsgka9i3CMIFJ2nLm
QzlaClhFxYatvRib3fKQTgb3cq0LLCJQxNJ81miwLHY9QqvXpTRrrQVx7ahyHfxHBRY3gs5NOZKY
jlkT6waMpKiCiqug9lywWjm/erpFaM6VeylqZsmXUN4jnaSNcyDV5pl36MCL92hg
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml:Assertion>
</wst:RequestedSecurityToken>
<wst:RequestedAttachedReference>
<o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_3435e7b2-b341-4ff7-9bb2-be89df9245b1</o:KeyIdentifier>
</o:SecurityTokenReference>
</wst:RequestedAttachedReference>
<wst:RequestedUnattachedReference>
<o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_3435e7b2-b341-4ff7-9bb2-be89df9245b1</o:KeyIdentifier>
</o:SecurityTokenReference>
</wst:RequestedUnattachedReference>
<wst:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</wst:TokenType>
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
<wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType>
</wst:RequestSecurityTokenResponse>
</s:Body>
</s:Envelope>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# Error Return Example
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<env:Header/>
<env:Body>
<env:Fault>
<env:Code>
<env:Value>env:Receiver</env:Value>
<env:Subcode>
<env:Value xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">wsse:FailedAuthentication</env:Value>
</env:Subcode>
</env:Code>
<env:Reason>
<env:Text xml:lang="en">User is not found</env:Text>
</env:Reason>
</env:Fault>
</env:Body>
</env:Envelope>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Understood. Please provide the Markdown content you need translated.