[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Question on HoK client certificate at IdP side
Hello, We are following the "SAML V2.0 Holder-of-Key Web Browser SSOâ (http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cs-02.pdf), and trying to add HoK support for our IdP Given a Principal at an IdP, does the client certificate for HoK must be registered and associated to this Principal ahead in IdP? In other words, can this principal freely choose a client certificate at SAML protocol runtime? Asking this because the specification 2.6.4 "Identity Provider Identifies Principal and Verifies Key Possessionâ has a sentence below: In addition, note well that the Holder-of-Key Assertion Profile requires that the X.509
certificate obtained as a result of the TLS handshake MUST be known to be associated with the principal
(see section 2.4 of [SAML2HoKAP]). However, I did not see detailed description on this at section 2.4 of [SAML2HoKAP] Sincerely, Chuang |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]