[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] RE: How to provide SAML assertions in RESTful services
> So what specification do you use to associate a user's SAML assertion > with the TLS client-authentication? That's what "holder of key" confirmation means. The analagous spec is the HoK Web Browser SSO profile, of which there is no ECP variant formally but the idea is the same. I don't know if this is the user's assertion here. Why would it be? If this is an n-tier use case, this is delegation. It is generally invalid to use the user's original assertion if the client is not the user's system. That would be done by exchanging the SSO token from the user for a delegation token issued for use by the service. That token can be obtained via ECP and bound to the service's key if client TLS can be used on the REST calls. > And is this in addition to authenticating the client system? You haven't sufficiently defined the use case, let's put it that way. But what I think you're doing is exactly what we did for delegation of service access. We haven't done a variant of it with client TLS between the tiers yet, it's bearer initially. The next phase after improving the code would be adding HoK. https://spaces.internet2.edu/display/ShibuPortal/Solution+Proposal That is much stronger than the crazy things people do passing around SSO tokens without regard for their security properties. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]