2.2.1.3.1 Kerberos BinarySecurityToken Element
The Kerberos <BinarySecurityToken> element is specified in [BSP] section 14 and [WSSKTP1.1] section 3 (excluding subsections 3.5 and 3.6). This document overrides the following specifications:
[WSSKTP1.1] section 3.2 specifies multiple @ValueType attribute values. "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ" MUST be used.
If a Kerberos token is referenced as specified in [WSSKTP1.1] section 3.3 and [BSP] 14.2, a direct reference conforming to section 2.2.1.1 MUST be used.
If a Kerberos token is present in a <Security> element, a <Signature> element conforming to section 2.2.1.7 MUST be present in the same <Security> element. The <KeyInfo> element of that signature MUST reference the Kerberos token.