SAML + web service client + client certificate

Question

I need help reqarding SAML and WS-Security architecture (or possibly completely different standards?).

I have following platform-independent scenario which I need to secure using client certification authentication. Scenario is not-interactive, only web service client is involved (1).

(1) WS client -> (2) WS's on Service Provider (SP) -> (3) Identity provider (IdP)

• (1) has client certificate on it's machine and calls (2)
• (2) has services that (1) needs to consume
• (3) is able authenticate (1) client using client certificate

My question is how exactly this scenario could be covered with security standards such as SAML, WS-Trust or other.

Thanks

Answer 1

Pretty much any "federation" protocol could be used - OIDC, SAML, WS-Fed, WS-Trust... Take your pick.

1. Browser navigates to SP.
2. SP says "I don't know you" and redirects you to the IdP via an authentication request appropriate for the chosen protocol above
3. The IdP says "I don't know you, Authenticate!"
4. Browser presents certificate for authentication
5. The IdP validates the certificate, and builds an "assertion" appropriate for the chosen protocol.
6. The IdP redirects you back to the SP with the assertion
7. The SP validates the assertion and lets the browser in

Of the protocols listed... Only WS-Trust would work slightly different... In WS-Trust, depending on who actually the SP and IdP are, the SP could ask the browser to present a certificate that the SP could ask the IdP in an STS call to authenticate. This would only work if both the IdP and SP were configured to trust the same specific CA. This would result in not getting bounced from SP to IdP and back.