RequestSecurityToken is missing AppliesTo RRS feed

  • Question

  • I’m trying to invoke PingFederate STS service to get a saml token like this:

                var binding = new WS2007HttpBinding(SecurityMode.TransportWithMessageCredential);
                binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;

                var factory = new System.ServiceModel.Security.WSTrustChannelFactory(binding, _idpAddress)
                    TrustVersion = TrustVersion.WSTrust13

                factory.Credentials.UserName.UserName = "test";
                factory.Credentials.UserName.Password = "test";

                var rst = new RequestSecurityToken()
                    AppliesTo = new EndpointReference("sts:name"),
                    RequestType = RequestTypes.Issue,
                    KeyType = KeyTypes.Symmetric,

                    TokenType = null

                var ret = factory.CreateChannel().Issue(rst);

    Looking at the actual message sent to the server the AppliesTo is absent and TokenType has changed:

        <trust:RequestSecurityToken Context="uuid-6f394e3f-6d19-4d21-92a6-a628157a0c84-1" xmlns:trust="">
          <trust:BinaryExchange ValueType=""

    Anyone knows why the RequestSecurityToken has changed compared to the configuration? PingFederate needs the AppliesTo in the request.

    Thanks in advance.

    Friday, December 4, 2015 9:50 AM

All replies

  • Hi Ole-JakobK,

    AS far as I know, When the AppliesTo policy is enabled, it is no longer necessary to

    specify the required token type and key type in the message that is sent to the STS.

    You use the AppliesTo policy to specify which target endpoint the issued token is needed

    for and the STS looks up the target endpoint to discover the policies that apply to the

    issued token.

    Best Regards,


    Monday, December 7, 2015 6:42 AM
  • Hi,

    Thanks for the answer. I testet with only AppliesTo in the RequestSecurityToken but still the output is exactly the same. Same problem. I really don't understand why the Issue() operation require a RequestSecurityToken as a parameter since the output xml is unchanged anyway.

    Thursday, December 10, 2015 11:18 AM
  • Where do you get the applyto policy in sts
    Thursday, June 23, 2016 4:19 PM