security-services message

Subject: RE: [security-services] Adding channel bindings to signed SAML Requests

From: "Scott Cantor" <cantor.2@osu.edu>
To: "'Thomas Hardjono'" <hardjono@mit.edu>
Date: Fri, 17 Sep 2010 11:18:24 -0400

> I was always under the impression that one advantage of SAML (un-CB) was
> that the signed SAML assertions are independent objects, regardless of
> underlying transport.

They are. This is about the protocol, primarily, or about a client/server
connection.

> However, I do see that in some cases having proof of binding to a
transport
> like TLS is required.

I'm not generally trying to bind the assertion itself to the transport. The
only reason I even allowed for putting anything in the assertion was because
of the "unsigned response, signed assertion" pattern that's fairly common in
SSO.

> Hmmm, not to open a can of worms, but could I then use the SAML
> Request/Response (with CB) to build a key-negotiation protocol for a
higher
> layer app?

Probably.

-- Scott

References:
- Adding channel bindings to signed SAML Requests
  - From: "Scott Cantor" <cantor.2@osu.edu>
- Re: [security-services] Adding channel bindings to signed SAML Requests
  - From: Josh Howlett <josh.howlett@gmail.com>
- RE: [security-services] Adding channel bindings to signed SAML Requests
  - From: "Scott Cantor" <cantor.2@osu.edu>
- RE: [security-services] Adding channel bindings to signed SAMLRequests
  - From: Thomas Hardjono <hardjono@MIT.EDU>