SOAP client cert authn and how it relates to SAML messages

[Thomas Wisniewski <Thomas.Wisniewski@entrust.com>]

Title: Message

Hi, a question on SOAP client cert processing and how it relates to SAML messages.

 

When SOAP is used to authenticate a client (client side certs are used), is their a requirement in the specifications that the client that has been authenticated "match" a SAML message being sent. Or is this implementation specific.

 

For example, assume there are 2 Attribute Requesters that can send requests to a single Attribute Authority (SP-a and SP-b). It seems possible that SP-a can authenticate to the Authority using its own certifcate and then send a SAML request message whose issuer name is that of SP-b. Since the SOAP binding was used with SSL and client authentication, signatures and encryption were not used in the SAML request message. What I'm trying to find out is if the SAML specification allow this or forbid this explicitly.

 

If they forbid it, meaning that the Authority must insure the that client that authenticated is in fact the same as the issuer of the SAML request, then what is the definition of "the same as the issuer of the SAML request?" I imagine this is implementation specific, where the client cert can come from some set of issuers or perhaps only a specific set of client certs are acceptable.

 

Thanks, Tom.

 

Thomas Wisniewski
Software Architect
Phone: (201) 891-0524
Cell: (201) 248-3668
 
EntrustÒ
Securing Digital Identities
& Information