SOAP envelope

All <wst:RequestSecurityToken>, <wst:RequestSecurityTokenResponse>, and <wst:RequestSecurityTokenResponseCollection> elements must be sent as the single direct child of the body of a SOAP 1.1 <S11:Envelope> element.

Use HTTP POST to send all vCenter Single Sign-On SOAP messages over an SSL/TLS-protected channel. Set the SOAPAction HTTP header field to the appropriate message binding.

The <wsse:Security> header in a vCenter Single Sign-On request must contain a <wsu:Timestamp> element.

SOAP message signature

If a signature is applied to a request then it must include:

Either the <S11:Body>, or the WS-Trust element as a direct child of the <S11:Body>
The <wsu:Timestamp>, if present, in the <S11:Header>.

Exclusive canonicalization without comments (xml-exc-c14n) must be used prior to signature generation.

The signature certificate must either be carried either within a <wsse:BinarySecurityToken> or a <saml:Assertion> within <wsse:Security> header of the <S11:Header>.

The signature must contain a <wsse:SecurityTokenReference> that uses an internal direct reference to the <wsse:BinarySecurityToken>.