Shibboleth Developers

[Nate Klingenstein <>]

Shibboleth-Developers,

As part of my work for the National Institute of Informatics and the  
UPKI initiative, I've been working on a modified Web Browser SSO  
profile for SAML 2.0 that uses holder-of-key confirmation for the  
client rather than bearer authentication.  The keys for this  
confirmation are supplied through TLS using client certificates.  This  
results in a more secure sign-on process and, particularly, a more  
secure resulting session at the SP, and no need for the SP to do PKIX  
or know anything about the client certificate itself.

As there has been some discussion about client TLS authentication to  
IdP's on this list, along with a bunch of sharp resident federated  
thinkers, I wanted to run the draft by you for any feedback or ideas  
before I take it to the SSTC for further work.  All ideas or  
complaints, no matter how nebulous, are useful.

I've attached it in PDF format.  If you prefer another format, please  
let me know.

Thanks for your (volunteered) time,
Nate.

Attachment: draft-sstc-saml-keyed-browser-sso-cd-01.pdf
Description: Adobe PDF document