On 2 Sep 2013, at 10:42, Matthew Slowe <[log in to unmask]> wrote:
> As mentioned, on reflection, I think this is a good check to have!
They are both good to have, in principle.
>> Long term, "holder of key", in which the user agent proves to the SP
>> that it is the rightful bearer of the token, may be an answer to this
>> one, but as far as I know it's really not implemented by anyone today.
>
> I don't claim to know anything about HOK
In HoK, the client presents a credential to the IdP, and the IdP makes note of that in the assertion. The client then presents the same credential to the SP, so that the SP can see that it is the same client as was seen by the IdP. It's clever, but it's not seeing a lot of use yet. I suspect it will never really take off for browser-based applications.
> but do remember having an issue
> when attempting to register a SimpleSAMLphp based SP on the ukfederation
> as the HOK metadata [1] wasn't being accepted.
>
> Not sure if this was just because SSPHP is/was broken in some way :)
Yes, simpleSAMLphp had a problem a while back. It was claiming HoK support even if you didn't ask for it, but its generated metadata for the facility was invalid. If you upgrade to the current production version (you should probably do that anyway), you will find that the broken HoK metadata goes away entirely.
-- Ian
|