Document:
sstc-saml-holder-of-key-browser-sso-draft-08.pdf (Revision 7)

Draft (A preliminary unapproved sketch, outline, or version.)

Details

Submitted By Mr. Nathan Klingenstein on 2008-11-03 7:15 am UTC

Publication Type

None at this time.

Group / Folder

OASIS Security Services (SAML) TC / A.5: Post-V2.0 Working Documents

Modified by

Not modified.

Copy

This document is not a copy.

Technical Contact

None at this time.

Download Count

876

Download Agreement

None at this time.

Description

This profile allows for transport and validation of holder-of-key assertions by standard HTTP user
agents with no modification of client software and maximum compatibility with existing
deployments. Most of the flows are as in standard Web Browser SSO, but an x.509 certificate
presented by the user agent supplies a valid keypair through client TLS authentication for HTTP
transactions. Cryptographic data resulting from TLS authentication is used for holder-of-key
validation of a SAML assertion. This strengthens the assurance of the resulting authentication
context and protects against credential theft, giving the service provider fresh authentication and
attribute information without requiring it to perform successful validation of the certificate.