Shibboleth Developers

["Josh Howlett" <>]

I have been trying, without much success, to understand the Holder of
Key SubjectConfirmation identifier.

I have read SAML 2.0 Profiles Section 3.1 (which makes little sense to
me) and the relevant text at
https://spaces.internet2.edu/display/SHIB/SubjectConfirmation (which
makes considerably more sense).

My brain can cope until I get to "By embedding a public key inside a
HolderOfKey SubjectConfirmation , the issuer enables a client that can
prove ownership of the key to use the assertion, while nobody else can
do so."

How does the issuer know the client's public key?
How does the Relying Party, in possession of the client's public key,
use it to validate the client?

I sense that this is intended as a means of binding the issuer's
assertion to a PKI shared by the issuer, client and relying party -
which sounds cool. However, I fail to understand the mechanics of how
this is achieved. Any help/pointers/etc would be greatly appreciated.

Thanks, josh.

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG