diff --git a/build/check_namespaces.xsl b/build/check_namespaces.xsl
index 5a7956ff..421667b0 100644
--- a/build/check_namespaces.xsl
+++ b/build/check_namespaces.xsl
@@ -13,6 +13,7 @@
 	xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"
 	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 	xmlns:elab="http://eduserv.org.uk/labels"
+	xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
 	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
 	xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
@@ -48,6 +49,10 @@
 		<xsl:apply-templates/>
 	</xsl:template>
 	
+	<xsl:template match="hoksso:*">
+		<xsl:apply-templates/>
+	</xsl:template>
+	
 	<xsl:template match="idpdisc:*">
 		<xsl:apply-templates/>
 	</xsl:template>
diff --git a/mdx/check_bindings.xsl b/mdx/check_bindings.xsl
index 2da6b2e8..61a4c03f 100644
--- a/mdx/check_bindings.xsl
+++ b/mdx/check_bindings.xsl
@@ -41,6 +41,7 @@
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:PAOS']
+		[@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
 		">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">
@@ -134,6 +135,7 @@
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
 		[@Binding != 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP']
+		[@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
 		">
 		<xsl:call-template name="error">
 			<xsl:with-param name="m">
diff --git a/mdx/check_hoksso.xsl b/mdx/check_hoksso.xsl
new file mode 100644
index 00000000..a820f20c
--- /dev/null
+++ b/mdx/check_hoksso.xsl
@@ -0,0 +1,160 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_hoksso.xsl
+	
+	Checking ruleset for the SAML V2.0 Holder-of-Key Web Browser SSO
+	Profile Version 1.0, which can be found here:
+
+        https://wiki.oasis-open.org/security/SamlHoKWebSSOProfile
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:hoksso="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="../build/check_framework.xsl"/>
+
+	<!--
+		Schema checks.
+		
+		The schema itself doesn't help very much as most contexts in which the hoksso
+		namespace is used are subject to "lax" checking.  These checks duplicate some
+		aspects of XML Schema checking as we'd like it to behave.
+	-->
+	
+	<xsl:template match="hoksso:*">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>unknown element hoksso:</xsl:text>
+				<xsl:value-of select="local-name()"/>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<xsl:template match="@hoksso:*[local-name() != 'ProtocolBinding']">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>unknown attribute hoksso:</xsl:text>
+				<xsl:value-of select="local-name()"/>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<!--
+		hoksso:ProtocolBinding should only appear on md:SingleSignOnService
+		or on md:AssertionConsumerService.
+	-->
+	<xsl:template match="@hoksso:ProtocolBinding
+		[not(parent::md:SingleSignOnService)][not(parent::md:AssertionConsumerService)]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>hoksso:ProtocolBinding may not appear on </xsl:text>
+				<xsl:value-of select="name(parent::*)"/>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<!--
+		If hoksso:ProtocolBinding appears, there must be a sibling Binding attribute
+		with the appropriate value.
+	-->
+	<xsl:template match="@hoksso:ProtocolBinding
+		[parent::*/@Binding != 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>hoksso:ProtocolBinding requires @Binding of </xsl:text>
+				<xsl:text>urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser</xsl:text>
+				<xsl:text>, saw </xsl:text>
+				<xsl:value-of select="parent::*/@Binding"/>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<!--
+		If the HoK SSO @Binding appears, hoksso:ProtocolBinding must appear with one of
+		the valid values.
+	-->
+	
+	<xsl:template match="md:*
+		[@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
+		[not(@hoksso:ProtocolBinding)]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>holder of key SSO @Binding on </xsl:text>
+				<xsl:value-of select="name()"/>
+				<xsl:text> also requires hoksso:ProtocolBinding</xsl:text>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<xsl:template match="md:SingleSignOnService
+		[@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
+		[@hoksso:ProtocolBinding]
+		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
+		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect']
+		">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>holder of key SSO requires appropriate hoksso:ProtocolBinding</xsl:text>
+				<xsl:if test="@hoksso:ProtocolBinding">
+					<xsl:text>, saw </xsl:text>
+					<xsl:value-of select="@hoksso:ProtocolBinding"/>
+				</xsl:if>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<xsl:template match="md:AssertionConsumerService
+		[@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']
+		[@hoksso:ProtocolBinding]
+		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact']
+		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
+		[@hoksso:ProtocolBinding != 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign']
+		">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>holder of key SSO requires appropriate hoksso:ProtocolBinding</xsl:text>
+				<xsl:if test="@hoksso:ProtocolBinding">
+					<xsl:text>, saw </xsl:text>
+					<xsl:value-of select="@hoksso:ProtocolBinding"/>
+				</xsl:if>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<!--
+        Use of SAML 2.0 HoK binding requires SAML 2.0 in protocolSupportEnumeration.
+    -->
+
+	<xsl:template match="md:IDPSSODescriptor
+		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
+		[md:*/@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>holder of key binding requires SAML 2.0 token in AttributeAuthorityDescriptor/@protocolSupportEnumeration</xsl:text>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<xsl:template match="md:SPSSODescriptor
+		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol'))]
+		[md:*/@Binding = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser']">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>holder of key binding requires SAML 2.0 token in SPSSODescriptor/@protocolSupportEnumeration</xsl:text>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+</xsl:stylesheet>
diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml
index af8381c9..cd626861 100644
--- a/mdx/common-beans.xml
+++ b/mdx/common-beans.xml
@@ -159,6 +159,7 @@
                 <entry key="ds"         value="http://www.w3.org/2000/09/xmldsig#"/>
                 <entry key="dsig11"     value="http://www.w3.org/2009/xmldsig11#"/>
                 <entry key="elab"       value="http://eduserv.org.uk/labels"/>
+                <entry key="hoksso"     value="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"/>
                 <entry key="idpdisc"    value="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"/>
                 <entry key="init"       value="urn:oasis:names:tc:SAML:profiles:SSO:request-init"/>
                 <entry key="md"         value="urn:oasis:names:tc:SAML:2.0:metadata"/>
@@ -423,6 +424,9 @@
         <bean parent="file_parent">
             <constructor-arg value="#{ systemProperties['basedir'] }/xml/sstc-request-initiation.xsd"/>
         </bean>
+        <bean parent="file_parent">
+            <constructor-arg value="#{ systemProperties['basedir'] }/xml/sstc-saml-holder-of-key-browser-sso.xsd"/>
+        </bean>
         <bean parent="file_parent">
             <constructor-arg value="#{ systemProperties['basedir'] }/xml/sstc-saml-idp-discovery.xsd"/>
         </bean>
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
index d7e0632d..4bff4ecb 100644
--- a/mdx/validation-beans.xml
+++ b/mdx/validation-beans.xml
@@ -244,6 +244,18 @@
         </property>
     </bean>
     
+    <!--
+        check_hoksso
+    -->
+    <bean id="check_hoksso" parent="check_xslt_parent"
+        p:id="check_hoksso">
+        <property name="xslResource">
+            <bean parent="file_parent">
+                <constructor-arg value="#{ systemProperties['basedir'] }/mdx/check_hoksso.xsl"/>
+            </bean>
+        </property>
+    </bean>
+        
     <!--
         check_idpdisc
     -->
@@ -562,6 +574,7 @@
             <list>
                 <ref bean="check_adfs"/>
                 <ref bean="check_bindings"/>
+                <ref bean="check_hoksso"/>
                 <ref bean="check_idpdisc"/>
                 <ref bean="check_init"/>
                 <ref bean="check_mdiop"/>
diff --git a/xml/sstc-saml-holder-of-key-browser-sso.xsd b/xml/sstc-saml-holder-of-key-browser-sso.xsd
new file mode 100644
index 00000000..7860d029
--- /dev/null
+++ b/xml/sstc-saml-holder-of-key-browser-sso.xsd
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema
+  targetNamespace="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser"
+  xmlns:xs="http://www.w3.org/2001/XMLSchema"
+  elementFormDefault="qualified"
+  attributeFormDefault="unqualified"
+  blockDefault="substitution"
+  version="2.0">
+
+  <xs:annotation>
+    <xs:documentation>
+      Document title: Schema for SAML V2.0 Holder-of-Key Web Browser SSO Profile
+      Document identifier: sstc-saml-holder-of-key-browser-sso.xsd
+      Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security
+      Revision history:
+	V1.2 (2 November 2008):
+	  Renamed attribute from protocol to ProtocolBinding; targetNamespace changed in accordance with new conventions
+	V1.1 (6 August 2008):
+	  string type changed to anyURI to match original SAML2Meta schema
+        V1.0 (4 August 2008):
+          Initial version.
+    </xs:documentation>
+  </xs:annotation>
+
+  <xs:attribute name="ProtocolBinding" type="xs:anyURI"/>
+
+</xs:schema>