The "Token Comments" post discussed the importance of token technology within an enterprises security model. Now let's examine SAML in more detail.
To understand how the various confirmation methods in a SAML token fit in a security model, we have to first understand some of the basic assumptions about SAML itself. SAML assertions are declarations of fact, or claims about a subject according to someone - typically a "source site" (to use the SAML v1.x language) or an identity provider (to use the SAML v2.0) language. A SAML assertion encompasses three types of statements about a subject - statements of authentication, statements of attributes and statements of authorization. For the latter, this statement of authorization are quickly being taken over by XACML. In fact, this type of assertion has been frozen as of SAML v2.0 with no future enhancements. Users who require authorization statements are encouraged to look at XACML, which offer enhanced capabilities for the expression of authorization statements.
SAML uses a special element called the subjectconfirmation element that can be thought of as a special hint given to the receiver of a SAML assertion. This element allows the receiver to reconfirm that the request came from the entity associated with the subject. The underlying assumption here is that the system sending the assertion is not the same as the subject, but the system receiving the assertion has some sort of trust relation with the sender. The classic example in this case could be a business partner. In most cases you trust your business partner, so normally the receiver of the assertion should not need to reconfirm the authentication, but there may be cases where it is an especially high-value transaction or maybe they just don't trust the system sending the assertion and need extra assurance. SAML provides three ways to accomplish this re-confirmation, called confirmation methods which are holder-of-key, bearer, and sender-vouches. While these three options are theoretically different, we will see that in practice they collapse into just two cases: do nothing or verify a signature.
Next, we'll examine bearer and sender-vouches in more detail.