Run-Time Processing of Holder-of-Key Tokens
At run time, Mediator processes a request containing a Holder-of-Key token as follows:
1. The client sends a request for a SAML token from a Security Token Service (STS).
2. The STS verifies and authenticates the client and creates a SAML assertion with key information. The client can use this information to sign the message when sending the assertion to the service provider.
3. The STS signs the assertion with its private key to provide message integrity and non-repudiation.
4. The client receives the SAML assertion from the STS and creates a new SOAP request.
5. The client adds the token in the SOAP WS-Security header and then signs the message with the same key information present in the SAML token to prove Proof-of-Possession of the token (thus acting as the Holder-of-Key).
6. The service receives the SOAP request with the SAML assertion and verifies that the SAML assertion was issued by a trusted STS.
7. The service verifies that the message was signed by the same Subject specified in the SAML assertion, thus verifying that the client is the Holder-of-Key.
After the service has completed performing the required verifications on the SOAP request, the service allows the request to proceed.