[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Groups - sstc-saml-holder-of-key-browser-sso-draft-01.pdf (sstc-saml-holder-of-key-browser-sso-draft-01.pdf) uploaded
As part of my work for the National Institute of Informatics and the UPKI initiative, I've been working on a modified Web Browser SSO profile for SAML 2.0 that uses holder-of-key confirmation for the client rather than bearer authentication. The keys for this confirmation are supplied through TLS using client certificates. This results in a more secure sign-on process and, particularly, a more secure resulting session at the SP. There is no need for the SP to do PKI validation or know anything about the client certificate itself. It'll be difficult for me to attend initial conference calls, but I should be able to make it. If not, I'll appoint a representative and rely on minutes. I'd like to particularly thank all the acknowledged and unacknowledged contributors who have already pitched in their ideas, and look forward to more helpful refinement from potential implementors and standards veterans here. Thanks a lot for the warm welcome. -- Mr. Nathan Klingenstein The document named sstc-saml-holder-of-key-browser-sso-draft-01.pdf (sstc-saml-holder-of-key-browser-sso-draft-01.pdf) has been submitted by Mr. Nathan Klingenstein to the OASIS Security Services (SAML) TC document repository. Document Description: This profile allows for transport and validation of holder-of-key assertions by standard HTTP user agents with no modification of client software and maximum compatibility with existing deployments. Most of the flows are as in standard Web Browser SSO, but an x.509 certificate presented by the user agent supplies a valid keypair through client TLS authentication for HTTP transactions. Cryptographic data resulting from TLS authentication is used for holder-of-key validation of a SAML assertion. This strengthens the assurance of the resulting authentication context and protects against credential theft, giving the service provider fresh authentication and attribute information without requiring it to perform successful validation of the certificate. View Document Details: http://www.oasis-open.org/apps/org/workgroup/security/document.php?document_id=27366 Download Document: http://www.oasis-open.org/apps/org/workgroup/security/download.php/27366/sstc-saml-holder-of-key-browser-sso-draft-01.pdf PLEASE NOTE: If the above links do not work for you, your email application may be breaking the link into two pieces. You may be able to copy and paste the entire link address into the address field of your web browser. -OASIS Open Administration
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]