OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Question on HoK client certificate at IdP side


We are following the "SAML V2.0 Holder-of-Key Web Browser SSOâ  (http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cs-02.pdf), and trying to add HoK support for our IdP

Given a Principal at an IdP, does the client certificate for HoK must be registered and associated to this Principal ahead in IdP?  In other words, can this principal freely choose a client certificate at SAML protocol runtime?

Asking this because the specification 2.6.4  "Identity Provider Identifies Principal and Verifies Key Possessionâ has a sentence below:

 In addition, note well that the Holder-of-Key Assertion Profile requires that the X.509 certificate obtained as a result of the TLS handshake MUST be known to be associated with the principal (see section 2.4 of [SAML2HoKAP]). 

However, I did not see detailed description on this at section 2.4 of [SAML2HoKAP]


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]