Friday, January 18, 2013

SAML Subject confirmation methods: Bearer vs. Holder of Key vs. Sender Vouches

Subject confirmation methods are how a relying party (RP), in other words the end service, can make sure a particular security token issued by a Security Token Service (STS), is brought by the legitimate subject.

If this is not done, a 3rd party can take the token from the wire and send any request it wants including that token. RP will trust that illegitimate party.

Following discuss these three methods.

The common aspect is, obviously, RP should always trust the STS.

Bearer
This is actually not a confirmation method - means subject confirmation is not needed! The RP simply trusts whoever brings the token!

Holder of Key (HoK)
1. STS includes the public key of the client, inside the security token and signs it.
2. Then before sending, client itself signs the request.
3. When the RP receives it, it first validates STS signature and then validates client's signature with the public key embedded inside the token.

Sender Vouches
1. Rather than authenticating with the STS, here, Client authenticates with an intermediate service.
2. The intermediary gets the security token from the STS.
3. Then it signs the request and sends to the RP.
4. RP trusts both the intermediary and the STS. So, it validates both of them.

Ref:
SAML subject confirmation methods: holder-of-key vs. sender-vouches

6 comments:

Anonymous said...

Thanks! This is the clearest explanation of Confirmation methods I have found so far.

dulanja said...

Glad it helped :)

Anonymous said...

Thanks for the concise descriptions.The referenced link doesn't seem to be no longer valid, though.

Anonymous said...

I think this a link to the source article: https://web-gmazza.rhcloud.com/blog/entry/saml-subject-confirmation-methods

Harsha's Blog said...

This was cleared to by simple... nice... :)

Anonymous said...

Simple and clear explanation. Thanks for posting.