--- schema-version: v1.2.8 id: OASISSAML-holder-of-key-v1.0-CS02 title: - content: SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0 language: - en script: - Latn format: text/plain type: main link: - content: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cs-02.html type: src - content: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cs-02.pdf type: pdf - content: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-holder-of-key-browser-sso-cs-02.odt type: odt type: standard docid: - id: OASIS SAML-holder-of-key-v1.0-CS02 type: OASIS primary: true docnumber: SAML-holder-of-key-v1.0-CS02 date: - type: issued value: '2010-08-10' contributor: - organization: name: - content: OASIS contact: - uri: https://www.oasis-open.org/ role: - description: - content: Standards Development Organization type: authorizer - type: publisher - organization: name: - content: OASIS Security Services (SAML) TC contact: - uri: https://www.oasis-open.org/committees/security/ role: - description: - content: Committee type: authorizer language: - en script: - Latn abstract: - content: Allows for transport of holder-of-key assertions by standard HTTP user agents with no modification of client software and maximum compatibility with existing deployments. The flow is similar to standard Web Browser SSO, but an X.509 certificate presented by the user agent via a TLS handshake supplies a key to be used in a holder-of-key assertion. Proof of possession of the private key corresponding to the public key in the certificate resulting from the TLS handshake strengthens the assurance of the resulting authentication context and protects against credential theft. Neither the identity provider nor the service provider is required to validate the certificate. language: - en script: - Latn format: text/plain doctype: type: specification editorialgroup: - name: OASIS Security Services (SAML) TC ext: schema-version: v1.0.1 technology_area: - Security