Re: [saml-dev] ECP client redirects

[John Kemp <john@jkemp.net>]

> On Oct 8, 2015, at 10:41 AM, John Dennis <jdennis@redhat.com> wrote:
> 
> I'm trying to clarify the following 2 questions (1 & 2):
> 
> 1) Is an ECP client required to be able to handle redirect responses from an IdP after posting an AuthnRequest to the IdP SOAP binding endpoint?

No, it is not. 

An ECP may be an HTTP “server”, for example. Or any other non-browser software application.

> 
> I can't find this in any of the SAML specifications, if you have a pointer that would be appreciated.
> 
> It would help to have context for the question. We have an IdP implementation whose architecture relies on redirecting to it's own endpoints while it is processing an AuthnRequest, the redirect is not internal, it relies on the browser to follow the redirect. This was never an issue for Web SSO using the HTTP-Redirect or HTTP-Post bindings because browsers happily followed the redirect.
> 
> However an ECP client is supposed to be a much less capable HTTP client and ECP unlike Web SSO does not inherently have the concept of redirects (with the exclusion of the final SP response).
> 
> Reading between the lines of the SAML specs seems to be the assumption posting an AuthnRequest is akin to a REST API call, a simple request/response.

I think this is more than an assumption. 

An ECP is explicitly an “active” client, in the sense that it doesn’t simply forward anything to anyone. It must inspect and add HTTP headers, and possibly do other things.

> It also seems one of the design goals, at least with ECP is avoiding redirection to unknown IdP's. If the IdP responds with a redirect it then become the client's responsibility to verify the redirect is back to the original IdP, an unnecessary burden for the ECP client.
> 
> The above raises the next general SAML question.
> 
> 2) Are redirects after submitting an AuthnRequest to a IdP SSO binding endpoint permitted if the IsPassive flag is True?
> 
> One way of interpreting the IsPassive flag is the IdP is supposed to immediately respond with a SAMLResponse, if this is the case then performing redirects before responding with a SAMLResponse would appear to violate that.

The idea of isPassive is to allow the entire SAML process to take place without user interaction. It’s important to note that this likely should imply that the user already has a authenticated session with the IdP, which also implies that the IdP may ignore isPassive (say if the user does not have an active session). Redirects may be fine though as long as they don’t cause interaction with the user. 

- johnk
 
> 
> Thanks!
> 
> -- 
> John
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org
>