RE: [saml-dev] RE: How to provide SAML assertions in RESTful services

["Scott Cantor" <cantor.2@osu.edu>]

> So what specification do you use to associate a user's SAML assertion
> with the TLS client-authentication?

That's what "holder of key" confirmation means. The analagous spec is the
HoK Web Browser SSO profile, of which there is no ECP variant formally but
the idea is the same.

I don't know if this is the user's assertion here. Why would it be? If this
is an n-tier use case, this is delegation. It is generally invalid to use
the user's original assertion if the client is not the user's system. That
would be done by exchanging the SSO token from the user for a delegation
token issued for use by the service. That token can be obtained via ECP and
bound to the service's key if client TLS can be used on the REST calls.

> And is this in addition to authenticating the client system?

You haven't sufficiently defined the use case, let's put it that way.

But what I think you're doing is exactly what we did for delegation of
service access. We haven't done a variant of it with client TLS between the
tiers yet, it's bearer initially. The next phase after improving the code
would be adding HoK.

https://spaces.internet2.edu/display/ShibuPortal/Solution+Proposal

That is much stronger than the crazy things people do passing around SSO
tokens without regard for their security properties.

-- Scott