vCenter Single Sign On SOAP Message Structure

vCenter Single Sign On SOAP Message Structure

The requirements listed in the following table apply to the SOAP message structure in vCenter Single Sign On message exchange.

vCenter Single Sign On SOAP Message Structure

Element

Message Requirements

SOAP envelope

All <wst:RequestSecurityToken>, <wst:RequestSecurityTokenResponse>, and <wst:RequestSecurityTokenResponseCollection> elements must be sent as the single direct child of the body of a SOAP 1.1 <S11:Envelope> element.

Use HTTP POST to send all vCenter Single Sign On SOAP messages over an SSL/TLS protected channel. Set the SOAPAction HTTP header field to the appropriate message binding.

The <wsse:Security> header in an vCenter Single Sign On request must contain a <wsu:Timestamp> element.

SOAP message signature

If a signature is applied to a request then it must include:

■

Either the <S11:Body>, or the WS-Trust element as a direct child of the <S11:Body>

■

The <wsu:Timestamp>, if present, in the <S11:Header>.

Exclusive canonicalization without comments (xml-exc-c14n) must be used prior to signature generation.

The signature certificate must either be carried either within a <wsse:BinarySecurityToken> or a <saml:Assertion> within <wsse:Security> header of the <S11:Header>.

The signature must contain a <wsse:SecurityTokenReference> that uses an internal direct reference to the <wsse:BinarySecurityToken>.

Help us improve this information. Send feedback to [email protected].