Active Directory Federation Services and Proxy Integration Protocol
[MS-ADFSPIP]:
Active Directory Federation Services and Proxy Integration Protocol
Intellectual Property Rights Notice for Open Specifications Documentation
Technical Documentation. Microsoft publishes Open Specifications documentation (“this documentation”) for protocols, file formats, data portability, computer languages, and standards support. Additionally, overview documents cover inter-protocol relationships and interactions.
Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you can make copies of it in order to develop implementations of the technologies that are described in this documentation and can distribute portions of it in your implementations that use these technologies or in your documentation as necessary to properly document the implementation. You can also distribute in your implementation, with or without modification, any schemas, IDLs, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications documentation.
No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.
Patents. Microsoft has patents that might cover your implementations of the technologies described in the Open Specifications documentation. Neither this notice nor Microsoft's delivery of this documentation grants any licenses under those patents or any other Microsoft patents. However, a given Open Specifications document might be covered by the Microsoft Open Specifications Promise or the Microsoft Community Promise. If you would prefer a written license, or if the technologies described in this documentation are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting .
Trademarks. The names of companies and products contained in this documentation might be covered by trademarks or similar intellectual property rights. This notice does not grant any licenses under those rights. For a list of Microsoft trademarks, visit
Fictitious Names. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events that are depicted in this documentation are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.
Reservation of Rights. All other rights are reserved, and this notice does not grant any rights other than as specifically described above, whether by implication, estoppel, or otherwise.
Tools. The Open Specifications documentation does not require the use of Microsoft programming tools or programming environments in order for you to develop an implementation. If you have access to Microsoft programming tools and environments, you are free to take advantage of them. Certain Open Specifications documents are intended for use in conjunction with publicly available standards specifications and network programming art and, as such, assume that the reader either is familiar with the aforementioned material or has immediate access to it.
Revision Summary
Date / Revision History / Revision Class / Comments8/8/2013 / 1.0 / New / Released new document.
11/14/2013 / 2.0 / Major / Significantly changed the technical content.
2/13/2014 / 3.0 / Major / Significantly changed the technical content.
5/15/2014 / 3.0 / None / No change to the meaning, language, or formatting of the technical content.
6/30/2015 / 4.0 / Major / Significantly changed the technical content.
7/14/2016 / 5.0 / Major / Significantly changed the technical content.
Table of Contents
1Introduction
1.1Glossary
1.2References
1.2.1Normative References
1.2.2Informative References
1.3Overview
1.4Relationship to Other Protocols
1.5Prerequisites/Preconditions
1.6Applicability Statement
1.7Versioning and Capability Negotiation
1.8Vendor-Extensible Fields
1.9Standards Assignments
2Messages
2.1Transport
2.2Common Data Types
2.2.1HTTP Headers
2.2.1.1X-MS-Proxy
2.2.1.2X-MS-Forwarded-Client-IP
2.2.1.3X-MS-Endpoint-Absolute-Path
2.2.1.4X-MS-Target-Role
2.2.1.5X-MS-ADFS-Proxy-Client-IP
2.2.2Complex Types
2.2.2.1Proxy Trust
2.2.2.2Proxy Trust Renewal
2.2.2.3Proxy Relying Party Trust
2.2.2.4Configuration
2.2.2.5Relying Party Trust List
2.2.2.6Relying Party Trust
2.2.2.7Relying Party Trust Publishing Settings
2.2.2.8Store Entry List
2.2.2.9Store Entry
2.2.2.10Store Entry Key and Value
2.2.2.11Serialized Request with Certificate
2.2.2.12Port Type
2.2.2.13Credential Collection Scheme
2.2.2.14TLS Query Behavior
2.2.2.15Certificate Validation
2.2.2.16Certificate Type
2.2.2.17Proxy Token
2.2.2.18Combined Token
2.2.2.19Proxy Token Wrapper
2.2.2.20Authentication Request
2.2.2.21Error Response
3Protocol Details
3.1Common Details
3.1.1Abstract Data Model
3.1.1.1Server State
3.1.1.2Client State
3.1.1.3Relying Party Trust State
3.1.2Timers
3.1.3Initialization
3.1.4Higher-Layer Triggered Events
3.1.5Message Processing Events and Sequencing Rules
3.1.6Timer Events
3.1.7Other Local Events
3.2Proxy Registration Server Details
3.2.1Abstract Data Model
3.2.2Timers
3.2.3Initialization
3.2.4Higher-Layer Triggered Events
3.2.5Message Processing Events and Sequencing Rules
3.2.5.1Proxy/EstablishTrust
3.2.5.1.1POST
3.2.5.1.1.1Request Body
3.2.5.1.1.2Response Body
3.2.5.1.1.3Processing Details
3.2.5.2Proxy/RenewTrust
3.2.5.2.1POST
3.2.5.2.1.1Request Body
3.2.5.2.1.2Response Body
3.2.5.2.1.3Processing Details
3.2.5.3Proxy/WebApplicationProxy/Trust
3.2.5.3.1GET
3.2.5.3.1.1Request Body
3.2.5.3.1.2Response Body
3.2.5.3.1.3Processing Details
3.2.5.3.2POST
3.2.5.3.2.1Request Body
3.2.5.3.2.2Response Body
3.2.5.3.2.3Processing Details
3.2.5.3.3DELETE
3.2.5.3.3.1Request Body
3.2.5.3.3.2Response Body
3.2.5.3.3.3Processing Details
3.2.6Timer Events
3.2.7Other Local Events
3.3Proxy Registration Client Details
3.3.1Abstract Data Model
3.3.2Timers
3.3.3Initialization
3.3.4Higher-Layer Triggered Events
3.3.5Message Processing Events and Sequencing Rules
3.3.5.1Proxy/EstablishTrust
3.3.5.1.1POST
3.3.5.1.1.1Request Body
3.3.5.1.1.2Response Body
3.3.5.1.1.3Processing Details
3.3.5.2Proxy/RenewTrust
3.3.5.2.1POST
3.3.5.2.1.1Request Body
3.3.5.2.1.2Response Body
3.3.5.2.1.3Processing Details
3.3.5.3Proxy/WebApplicationProxy/Trust
3.3.5.3.1GET
3.3.5.3.1.1Request Body
3.3.5.3.1.2Response Body
3.3.5.3.1.3Processing Details
3.3.5.3.2POST
3.3.5.3.2.1Request Body
3.3.5.3.2.2Response Body
3.3.5.3.2.3Processing Details
3.3.5.3.3DELETE
3.3.5.3.3.1Request Body
3.3.5.3.3.2Response Body
3.3.5.3.3.3Processing Details
3.3.6Timer Events
3.3.7Other Local Events
3.4Service Configuration Server Details
3.4.1Abstract Data Model
3.4.2Timers
3.4.3Initialization
3.4.4High-Layer Triggered Events
3.4.5Message Processing Events and Sequencing Rules
3.4.5.1Proxy/GetConfiguration
3.4.5.1.1GET
3.4.5.1.1.1Request Body
3.4.5.1.1.2Response Body
3.4.5.1.1.3Processing Details
3.4.5.2Proxy/RelyingPartyTrusts
3.4.5.2.1GET
3.4.5.2.1.1Request Body
3.4.5.2.1.2Response Body
3.4.5.2.1.3Processing Details
3.4.5.3Proxy/RelyingPartyTrusts/
3.4.5.3.1GET
3.4.5.3.1.1Request Body
3.4.5.3.1.2Response Body
3.4.5.3.1.3Processing Details
3.4.6Timer Events
3.4.7Other Local Events
3.5Service Configuration Client Details
3.5.1Abstract Data Model
3.5.2Timers
3.5.3Initialization
3.5.4High-Layer Triggered Events
3.5.5Message Processing Events and Sequencing Rules
3.5.5.1Proxy/GetConfiguration
3.5.5.1.1GET
3.5.5.1.1.1Request Body
3.5.5.1.1.2Response Body
3.5.5.1.1.3Processing Details
3.5.5.2Proxy/RelyingPartyTrusts
3.5.5.2.1GET
3.5.5.2.1.1Request Body
3.5.5.2.1.2Response Body
3.5.5.2.1.3Processing Details
3.5.5.3Proxy/RelyingPartyTrusts/
3.5.5.3.1GET
3.5.5.3.1.1Request Body
3.5.5.3.1.2Response Body
3.5.5.3.1.3Processing Details
3.5.6Timer Events
3.5.7Other Local Events
3.6Proxy Configuration Server Details
3.6.1Abstract Data Model
3.6.2Timers
3.6.3Initialization
3.6.4High-Layer Triggered Events
3.6.5Message Processing Events and Sequencing Rules
3.6.5.1Proxy/WebApplicationProxy/Store
3.6.5.1.1GET
3.6.5.1.1.1Request Body
3.6.5.1.1.2Response Body
3.6.5.1.1.3Processing Details
3.6.5.2Proxy/WebApplicationProxy/Store/
3.6.5.2.1GET
3.6.5.2.1.1Request Body
3.6.5.2.1.2Response Body
3.6.5.2.1.3Processing Details
3.6.5.2.2POST
3.6.5.2.2.1Request Body
3.6.5.2.2.2Response Body
3.6.5.2.2.3Processing Details
3.6.5.2.3PUT
3.6.5.2.3.1Request Body
3.6.5.2.3.2Response Body
3.6.5.2.3.3Processing Details
3.6.5.2.4DELETE
3.6.5.2.4.1Request Body
3.6.5.2.4.2Response Body
3.6.5.2.4.3Processing Details
3.6.6Timer Events
3.6.7Other Local Events
3.7Proxy Configuration Client Details
3.7.1Abstract Data Model
3.7.2Timers
3.7.3Initialization
3.7.4High-Layer Triggered Events
3.7.5Message Processing Events and Sequencing Rules
3.7.5.1Proxy/WebApplicationProxy/Store
3.7.5.1.1GET
3.7.5.1.1.1Response Body
3.7.5.1.1.2Request Body
3.7.5.1.1.3Processing Details
3.7.5.2Proxy/WebApplicationProxy/Store/
3.7.5.2.1GET
3.7.5.2.1.1Request Body
3.7.5.2.1.2Response Body
3.7.5.2.1.3Processing Details
3.7.5.2.2POST
3.7.5.2.2.1Request Body
3.7.5.2.2.2Response Body
3.7.5.2.2.3Processing Details
3.7.5.2.3PUT
3.7.5.2.3.1Request Body
3.7.5.2.3.2Response Body
3.7.5.2.3.3Processing Details
3.7.5.2.4DELETE
3.7.5.2.4.1Request Body
3.7.5.2.4.2Response Body
3.7.5.2.4.3Processing Details
3.7.6Timer Events
3.7.7Other Local Events
3.8Application Publishing Server Details
3.8.1Abstract Data Model
3.8.2Timers
3.8.3Initialization
3.8.4High-Layer Triggered Events
3.8.5Message Processing Events and Sequencing Rules
3.8.5.1Proxy/RelyingPartyTrusts/{Identifier}/PublishedSettings
3.8.5.1.1POST
3.8.5.1.1.1Request Body
3.8.5.1.1.2Response Body
3.8.5.1.1.3Processing Details
3.8.5.1.2DELETE
3.8.5.1.2.1Request Body
3.8.5.1.2.2Response Body
3.8.5.1.2.3Processing Details
3.8.6Timer Events
3.8.7Other Local Events
3.9Application Publishing Client Details
3.9.1Abstract Data Model
3.9.2Timers
3.9.3Initialization
3.9.4High-Layer Triggered Events
3.9.5Message Processing Events and Sequencing Rules
3.9.5.1Proxy/RelyingPartyTrusts/{Identifier}/PublishedSettings
3.9.5.1.1POST
3.9.5.1.1.1Request Body
3.9.5.1.1.2Response Body
3.9.5.1.1.3Processing Details
3.9.5.1.2DELETE
3.9.5.1.2.1Request Body
3.9.5.1.2.2Response Body
3.9.5.1.2.3Processing Details
3.9.6Timer Events
3.9.7Other Local Events
3.10Proxy Runtime Behaviors Server Details
3.10.1Abstract Data Model
3.10.2Timers
3.10.3Initialization
3.10.4High-Layer Triggered Events
3.10.5Message Processing Events and Sequencing Rules
3.10.5.1BackEndProxyTLS
3.10.5.1.1POST
3.10.5.1.1.1Request Body
3.10.5.1.1.2Response Body
3.10.5.1.1.3Processing Details
3.10.6Timer Events
3.10.7Other Local Events
3.11Proxy Runtime Behaviors Client Details
3.11.1Abstract Data Model
3.11.2Timers
3.11.3Initialization
3.11.4High-Layer Triggered Events
3.11.5Message Processing Events and Sequencing Rules
3.11.5.1End-user X509 Certificate Processing
3.11.6Timer Events
3.11.7Other Local Events
3.12Application Proxy Runtime Behaviors Server Details
3.12.1Abstract Data Model
3.12.2Timers
3.12.3Initialization
3.12.4High-Layer Triggered Events
3.12.5Message Processing Events and Sequencing Rules
3.12.5.1Issue Preauthentication
3.12.5.1.1Proxy Preauthentication
3.12.5.1.1.1Request Body
3.12.5.1.1.2Response Body
3.12.5.1.1.3Processing Details
3.12.5.1.2SAML-P Extensions for Preauthentication
3.12.5.1.3WS-Fed Extensions for Preauthentication
3.12.5.1.4OAuth Extensions for Preauthentication
3.12.5.1.5Proxy Preauthentication for Active Clients
3.12.5.1.5.1Request Body
3.12.5.1.5.2Response Body
3.12.5.1.5.3Processing Details
3.12.6Timer Events
3.12.7Other Local Events
3.13Application Proxy Runtime Behaviors Client Details
3.13.1Abstract Data Model
3.13.2Timers
3.13.3Initialization
3.13.4High-Layer Triggered Events
3.13.5Message Processing Events and Sequencing Rules
3.13.5.1Preauthentication
3.13.5.1.1Query String Based Preauthentication
3.13.5.1.2HTTP Authorization Header Based Preauthentication
3.13.5.2Initiate Preauthentication
3.13.5.2.1Initiate Redirect-based Preauthentication
3.13.5.2.2Response to [MS-OFBA] Requests
3.13.5.2.3Response to Active Requests
3.13.6Timer Events
3.13.7Other Local Events
4Protocol Examples
4.1Establishing Proxy Trust with the Server
4.1.1Client Request
4.1.2Server Response
4.2Getting Information about All Relying Party Trusts
4.2.1Client Request
4.2.2Server Response
4.3Create a New Set of Published Settings on a Relying Party Trust
4.3.1Client Request
4.3.2Server Response
4.4Remove an Existing Set of Published Settings on a Relying Party Trust
4.4.1Client Request
4.4.2Server Response
4.5Add a Key Value Pair to the Store
4.5.1Client Request
4.5.2Server Response
4.6Retrieve a Value of a Key from the Store
4.6.1Client Request
4.6.2Server Response
4.7Update the Value of a Key Already in the Store
4.7.1Client Request
4.7.2Server Response
4.8Create a new Proxy Relying Party Trust
4.8.1Client Request
4.8.2Server Response
4.9Get the Proxy Relying Party Trust
4.9.1Client Request
4.9.2Server Response
5Security
5.1Security Considerations for Implementers
5.2Index of Security Parameters
6Appendix A: Full JSON Schema
7Appendix B: Product Behavior
8Change Tracking
9Index
1Introduction
This is a specification of the Active Directory Federation Services and Proxy system and the protocols that define the interaction behaviors between Active Directory Federation Services (AD FS) and the Web Application Proxy, or simply Proxy. It describes the intended functionality of the system and how the protocols in this system interact.
Sections 1.5, 1.8, 1.9, 2, and 3 of this specification are normative. All other sections and examples in this specification are informative.
1.1Glossary
This document uses the following terms:
Active Directory Federation Services (AD FS): A Microsoft implementation of a federation services provider, which provides a security token service (STS) that can issue security tokens to a caller using various protocols such asWS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) version 2.0.
Active Directory Federation Services and Proxy system: A system of features and protocols whereby a client located outside the boundaries of a corporate network can access application services located inside those boundaries.
Coordinated Universal Time (UTC): A high-precision atomic time standard that approximately tracks Universal Time (UT). It is the basis for legal, civil time all over the Earth. Time zones around the world are expressed as positive and negative offsets from UTC. In this role, it is also referred to as Zulu time (Z) and Greenwich Mean Time (GMT). In these specifications, all references to UTC refer to the time at UTC-0 (or GMT).
extended key usage (EKU): An X.509 certificate extension that indicates one or more purposes for which the certificate can be used.
farm configuration: A collection of servers, each of which provide the same services, and to each of which a service request can be routed for load balancing.
internal network: The portion of the corporate network that is protected by a firewall.
non-claims-aware: A characteristic of a network device or application that makes it unable to participate in claims-based authentication.
perimeter network: The portion of the corporate network that is on the outside of the firewall and is exposed to external network traffic.
pre-authentication: In Active Directory Federation Services (AD FS), the act of enforcing authentication of a user on the edge of a protected network boundary.
proxy: A network node that accepts network traffic originating from one network agent and transmits it to another network agent.
token: A set of rights and privileges for a given user.
Web Application Proxy: A set of components that provide proxy services for clients that are requesting access to application services inside the boundaries of a corporate network.
MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.
1.2References
Links to a document in the Microsoft Open Specifications library point to the correct section in the most recently published version of the referenced document. However, because individual documents in the library are not updated at the same time, the section numbers in the documents may not match. You can confirm the correct section numbering by checking the Errata.
1.2.1Normative References
We conduct frequent surveys of the normative references to assure their continued availability. If you have any issue with finding a normative reference, please contact . We will assist you in finding the relevant information.
[IETFDRAFT-JWS] Internet Engineering Task Force (IETF), "JSON Web Signature (JWS)", draft-ietf-jose-json-web-signature-10, April 2013,
[IETFDRAFT-TOKBND] Balfanz, D., Langley, A., Nystroem, M., et al., "Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation", draft-popov-tokbind-negotiation-00, May 2015,
[MS-OAPX] Microsoft Corporation, "OAuth 2.0 Protocol Extensions".
[MS-OFBA] Microsoft Corporation, "Office Forms Based Authentication Protocol".
[MS-PKAP] Microsoft Corporation, "Public Key Authentication Protocol".
[RFC1422] Kent, S., "Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management", RFC 1422, February 1993,
[RFC1738] Berners-Lee, T., Masinter, L., and McCahill, M., Eds., "Uniform Resource Locators (URL)", RFC 1738, December 1994,
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997,
[RFC2246] Dierks, T., and Allen, C., "The TLS Protocol Version 1.0", RFC 2246, January 1999,
[RFC2478] Baize, E. and Pinkas, D., "The Simple and Protected GSS-API Negotiation Mechanism", RFC 2478, December 1998,
[RFC2616] Fielding, R., Gettys, J., Mogul, J., et al., "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999,
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., et al., "HTTP Authentication: Basic and Digest Access Authentication", RFC 2617, June 1999,
[RFC3280] Housley, R., Polk, W., Ford, W., and Solo, D., "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002,
[RFC3339] Klyne, G. and Newman, C., "Date and Time on the Internet: Timestamps", RFC 3339, July 2002,
[RFC4158] Cooper, M., Dzambasow, Y., Hesse, P., et la., "Internet X.509 Public Key Infrastructure: Certification Path Building", RFC 4158, September 2005,
[RFC4559] Jaganathan, K., Zhu, L., and Brezak, J., "SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows", RFC 4559, June 2006,
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, October 2006,
[RFC793] Postel, J., Ed., "Transmission Control Protocol: DARPA Internet Program Protocol Specification", RFC 793, September 1981,
[SAMLCore2] Cantor, S., Kemp, J., Philpott, R., and Maler, E., Eds., "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0", March 2005,
[WSFederation1.2] Kaler, C., McIntosh, M., "Web Services Federation Language (WS-Federation)", Version 1.2, May 2009,
1.2.2Informative References
[RFC6101] Freier, A., Karlton, P., and Kocher, P., "The Secure Sockets Layer (SSL) Protocol Version 3.0", RFC 6101, August 2011,
[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, October 2012,
[WSFederation] Kaler, C., Nadalin, A., Bajaj, S., et al., "Web Services Federation Language (WS-Federation)", Version 1.1, December 2006,
1.3Overview
The Active Directory Federation Services and Proxy system provides services for authentication, authorization, and access to application services located inside the boundaries of the corporate network for clients that are located outside that boundary. The system is composed of Active Directory Federation Services (AD FS) and the Proxy.
AD FS is located inside the boundaries of the corporate network and can run on one server or multiple servers (also known as a "farm configuration"). It is a collection of authentication and authorization services exposed to clients over the HTTP protocol [RFC2616]. AD FS implements a set of application authentication protocols including WS-Federation [WSFederation], SAML-P [SAMLCore2], and OAuth [RFC6749].
The Proxy is a service located at the "edge" of the corporate network. It provides proxy services for clients requesting access to application services inside the corporate network and orchestrates access traffic to these services.
The Proxy directs all authentication traffic to the AD FS in the internal network and provisions for certificate-based authentication in particular.
The Proxy publishes application services that are located inside the boundaries of the corporate network and makes them available for access to clients that are outside. It "gates" the access to the network by orchestrating the authentication to the edge through the AD FS before allowing the access to the application service (that is, pre-authentication).
AD FS defines and implements a protocol that the Proxy supports and that allows the Proxy to orchestrate access to the network by authenticating requests to the edge.
The following diagram illustrates the various components of the system.
Figure 1: System components
The following components are part of the Active Directory Federation Services and Proxy system:
AD FS: A federation services provider. In this specification this component will be referred to as the server.
Proxy: Both an authentication and an application proxy. In this specification this component will be referred to as the client.
The following components interact with the Active Directory Federation Services and Proxy system:
Client: These components refer to the type of client (for example, browser or rich client) in addition to the identity of the user and the device that is accessing a particular application service.
Firewall: A component that filters traffic flowing between the perimeter network and the internal network. In the system described, web traffic is allowed between the Proxy and the AD FS and between the Proxy and the web application.
Web Application: Any web service or application to which a client connects and that typically requires authentication for the user in the client.
This specification describes the distinct areas of interaction between the Proxy and the AD FS.
1.4Relationship to Other Protocols
The following figure illustrates the relationship of this protocol to other protocols.
Figure 2: Protocols related to the Active Directory Federation Services and Proxy Integration Protocol
This protocol uses TCP [RFC793] as its transport.
Where specified, this protocol uses base64url encoding ([RFC4648] section 5).
1.5Prerequisites/Preconditions
No prerequisites or preconditions.
1.6Applicability Statement
The protocols in the Active Directory Federation Services and Proxy system are applicable to any situation in which the following are important:
- A proxy for AD FS.
- Publishing of web applications or services behind-the-firewall to the Internet.
- Pre-authentication of clients accessing web applications or services behind a firewall.
1.7Versioning and Capability Negotiation
This protocol does not provide any mechanism for capability negotiation.
1.8Vendor-Extensible Fields
This protocol does not provide any vendor-extensible fields.
1.9Standards Assignments
This protocol has not been assigned any standard parameters.
2Messages
2.1Transport
The protocol MUST be transported by HTTP/HTTPS [RFC2616]. The protocol requires HTTP/HTTPS ports as specified in section 2.2.2.4, attributes "HttpPort", "HttpsPort" and "HttpsPortForUserTlsAuth", obtained during Proxy (that is, the Web Application Proxy) server registration (section 3.4.5.1).
2.2Common Data Types
This section defines the set of resource types that are consumed or produced by this protocol. Common element definitions are included in this section.
2.2.1HTTP Headers
The following table summarizes the set of HTTP Headers defined by this specification.
Header / DescriptionX-MS-Endpoint-Absolute-Path / section 2.2.1.3
X-MS-Forwarded-Client-IP / section 2.2.1.2
X-MS-Proxy / section 2.2.1.1
X-MS-Target-Role / section 2.2.1.4
X-MS-ADFS-Proxy-Client-IP / section 2.2.1.5
2.2.1.1X-MS-Proxy
This header MUST contain the value of the server name of the proxy. This header is included when the proxy is processing client incoming requests as described in the runtime behaviors for the AD FS proxy server details in section 3.6.
String = *(%x20-7E)
X-MS-Proxy = String
2.2.1.2X-MS-Forwarded-Client-IP
This header MUST contain the value of the IP address of the client sending the request. This header MUST be included when the proxy is processing incoming requests from clients trying to access the server.