There's a problem with the Attribute Exchange Profile it seems. If you bind a VOMS-SAML token to a SOAP message and authenticate via WS-Security SAML Token Profile, everything is fine because the key bound to the SAML token is the same key presented to the RP. However, if you bind a VOMS-SAML token to a proxy certificate, there are problems since the key presented to the RP is different than the key bound to the SAML token, and so the holder-of-key subject confirmation on the assertion is not satisfied. An RP is obliged to reject the SAML token in that case. Here's an example of a SAML token with holder-of-key subject confirmation: http://www.globus.org/mail_archive/gridshib-user/2008/05/msg00011.html Now a VOMS AC is essentially a security token with sender-vouches subject confirmation, so I wonder if the VOMS-SAML assertion should have sender-vouches subject confirmation as well. Alternatively, the proxy certificate could be constructed such that its key is the same key bound to the EEC. In that case, the SAML holder-of-key subject confirmation requirement would be met since all the bound keys (EEC, proxy, SAML) are the same. Thoughts? Tom