[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Use of ECP Profile
if SPA is acting as ECP to another SP (say SP-B), then SP-A would indicate that it is an ECP in the HTTP headers so that SP-B would send the request to the SP-A ECP which would then know where the IdP is.Regarding the use of ECP, I fully agree that a SP does not have to know where the IdP is, but as in my case, a SP may also be a ECP (in case of service chain), it means that each SP in the chain has to know which IdP to use, or that this information is carried in the request for service.
My assumption was that SP-A would indicate that the request was initiated by SP-B (yes, a little white lie) and then the IdP would use the metadata service to locate the information for SP-BRegarding your suggestion of not using ECP, does this mean that SP-A would adjust the AssertionConsumerServiceURL attribute to point to SP-B? What would be the workflow?
You can place this information into the relay state area (yes both SP-A and SP-B have to agree on the format and contents, but that's simple enough.To complete the request, SP-A needs to invoke a service from SP-B.If SP-A submits an AuthnRequest to IdP for SP-B, if IdP sends the AuthnResponse to SP-B, SP-B does not know about the service that is being invoked (as SP-A did not issue the call)
IdP should not send SP-B's AuthenResponse to SP-A (that would have bad privacy consequences).If IdP sends the AuthnResponse to SP-A, this requires that SP-A is able to send this back to SP-B with the call parameters.
SP-B gets an AuthnResponse that includes the identification of the IdP and can use this subseqently.What if we have an arbitrarily long chain? SP-B may in turn call SP-C which will call SP-D. In this case, how does SP-B know which IdP to contact?
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]