OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Question on HoK client certificate at IdP side

On 10/15/20, 11:05 AM, "Chuang Wang" <chuang.wang@oracle.com> wrote:

>    Given a Principal at an IdP, does the client certificate for HoK must be registered and associated to this Principal ahead
> in IdP?  In other words, can this principal freely choose a client certificate at SAML protocol runtime?

It's out of scope the same way any enrollment issue would be, that's just policy. If there are constraints around that sort of thing, you have to capture them in the AuthnContextClassRef values used within a deployment to ensure that what you're expressing as a context at runtime is an accurate reflection of whatever policies are being followed.

If that policy is "the certificate is meaningless as an identity proof because we're just self-enrolling people", so be it, that's not part of the profile anymore than identity assurance issues are part of any other SAML profiles.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]