saml-dev message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: RE: [saml-dev] Use of ECP Profile
- From: "Jean-Noel Colin" <jean-noel.colin@oxys.be>
- To: "'Conor P. Cahill'" <concahill@aol.com>
- Date: Tue, 26 Oct 2004 14:48:57 +0200
Conor,
What do you mean by ' broser/ECP you have to pass control of the user (via re-direct)
to the other service.'? What is 'control of the user'? The way I understood the
profile was that when the ECP receives an AuthnRequest from the SP, it simply
forwards it to the IdP, that if necessary, interacts with the user to establish
a security context, and then replies with Authn Assertions. As all exchanges
between modules are SOAP based, I guess we can pass whatever content we want in
the messages, can't we?
In any case, I don't want the SP to interact with
the user directly or handle UI to authenticate him.
I might have not been clear while explaining my
architecture, so let me put a small picture:
As you can see, users are only known by their Managed
Learning Environment (MLE). This is an autonomous application, which does its
own user management, and, among other tasks, performs users authentication. This
software is accessed through a web interface (portal).
We are building extensions to this platform, that take the
form of 'services', i.e. external modules, running in arbitrary locations,
accessible only through a Web Service interface. The conductor itself is a
service, that is used to 'orchestrate' the invocation of the 'core' services.
Our requirement is that a service should only serve request
from authenticated sources, i.e. from a user's session at a MLE who has
successfully authenticated. The only existing piece of software that we will
reuse is the MLE; all services will be written from scratch. The way I see it is
that the MLE should present an interface to the Services that allows it to play
an IdP role (or whatever role is required). Any developed service should be
'SSO-enabled', i.e. include the steps to meet the identity requirement described
above.
So I guess in that model, the MLE would play the role of
IdP, while the Services (including the Conductor) would act as Service
Providers. So I thought interaction between MLE and Conductor could follow the
ECP profile, but I could not see how interaction between Conductor and Services
would fit in this model.
So looking at this picture, what would be your
recommendation? I must say that for political reasons (that I personally
regret), Liberty can't be implemented as such, although we will probably end up
implementing something similar.
Once again, thank you very much for your
help
Jean-Noel
Jean-Noel Colin wrote on 10/25/2004, 2:24 PM:
Conor,
Could you
please explain in a few words why using browser/ECP is so different from
service to service web service model? I thought that the calling service might
be considered as an ECP in the ECP
model.
Because in order to use broser/ECP you have to
pass control of the user (via re-direct) to the other service. You can
invoke services this way (by putting data in an agreed to place in the URL
and/or form data (as we do for AuthnRequest)), but SP-A would loose control of
the user. This is not a real server-to-server call and has alot of
repercussions for the SP and for the user.
You might ask: Is it possible
that an SP can act as an ECP and handle all the necessary UI in order to
authenticate a user?
The answer would, for the most part, be NO because
the IdP likely has stored some session related information in the ECP sitting in
front of SP-A which would not be available in the emulated ECP at SP-A, so the
user would have to be prompted for credentials (since the IdP would not find an
existing session cookie in the ECP) at each step of the process, thereby loosing
any potential benefit of SSO.
Conor
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]