OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Confirming how holder-of-key profile works

Hello everybody,

Iīve just read the SAM V2.0 Holder-ok-key Assertion Profile (CD 01, 9 March 2009), and Iīd really appreciate a confirmation about what I think Iīve understood. The scenario Iīm interested in, implies an attesting entity (a user) that tries to get some of their attributes from a SAML issuer (an IdP) in order to use them later in an access to a relying party (a SP). In this scenario, the steps would be:

1.- The user (acting as the attesting entity in the holder-of-key profile) build an attribute self-query saml assertion and send it to the IdP (acting as the SAML issuer)

2.-IdP issues a holder-of-key assertion containing the attributes requested. In this assertion the subject element would refer to the users identification used in the <saml:attributequery>, and the whole assertion were bound to X509 data OF THE USERīS CERTIFICATE (wasnīt it?). This implies that IdP NEEDS to know the X509 certificate of the user.

3.- The holder-of-key assertion would act like an authenticating token, when would be presented to an SP (acting as the relying party), and the user would prove the possession of the X509 certificate. In this step I then understand three things: (a) SP doesnīt need to know the X509 certificate BEFORE the presentation of it by the user (on the contrary thet IdP, that it does)
(b) It isnīt needed any other authentication process, because itīs more than enough the comparison of the X509 data contained in the assertion with the X509 presented by the client (and the associated private key)
(c) SP doesnīt need to issue another <saml:attributequery> to the IdP (as in a normal access of a user with a token to an SP), because itīs able to extract the attributes contained in the holder-ok-key assertion, and process them (for example with the intervention of a PDP, PEP entities)

Could anyone help me to confirm if the exposed scenario would be realistic?

Thank you very much in advance, and, please, sorry for the bad english language I have.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]