Description
This profile allows for transport and validation of holder-of-key assertions by standard HTTP user
agents with no modification of client software and maximum compatibility with existing
deployments. Most of the flows are as in standard Web Browser SSO, but an x.509 certificate
presented by the user agent supplies a valid keypair through client TLS authentication for HTTP
transactions. Cryptographic data resulting from TLS authentication is used for holder-of-key
validation of a SAML assertion. This strengthens the assurance of the resulting authentication
context and protects against credential theft, giving the service provider fresh authentication and
attribute information without requiring it to perform successful validation of the certificate.