According to the SAML Holder-of-Key Assertion Request Profile, the SAML
requester is the subject, that is, the subject self-issues a SAML request. The
subject presents this request and an X.509 certificate to a SAML identity
provider. The subject proves possession of the private key corresponding to the
public key of the presented certificate and authenticates to the identity
provider by unspecified means.

The identity provider consumes the request and issues a response. The identity
provider binds data from the X.509 certificate to one or more assertions in the
response.  The requester validates and consumes the response and outputs the
holder-of-key assertion(s).

The SAML Holder-of-Key Assertion Request Profile depends on the SAML
Holder-of-Key Assertion Profile:

http://wiki.oasis-open.org/security/SAMLHoKSubjectConfirmation

Also, the SAML Holder-of-Key Assertion Request Profile is related to the SAML
Holder-of-Key Web Browser SSO Profile:

http://wiki.oasis-open.org/security/SamlHoKWebSSOProfile

An initial implementation of the latter was contributed by Joana M. F. Trindade
through the Google Summer of Code (2008) program.  This implementation is the
first phase of an implementation plan whose goal is to convert a campus
credential (usually a username/password) into a SAML credential.