Re: [security-services] ECP

[Adam Dong <adam.dong@Sun.COM>]

Here is my understanding (partially from implementing the original
liberty PAOS spec):

After ECP talked to SP and published the PAOS service it is hosting,
SP and ECP could still talk non-PAOS back and forth, as many times as
they wish, and then at one point, SP decides to send ECP a PAOS request
which contains AuthnRequest. From then on things fall into SAML 2 spec
domain.


Thanks,
Adam



Scott Cantor wrote:
>>One other question on the ECP's initial request -- the ECP 
>>does require that the response (first response) back from the 
>>SP to be the Saml AuthnRequest using PAOS. Is that correct? 
> 
> 
> Hmmm, I'd think that the point is to eventually initiate the profile, but
> until you do, you're just "doing stuff with the client".
> 
> 
>>I.e., the SP cannot do any additional interactions that the 
>>ECP would be able to handle (e.g., an HTTP 302 redirection 
>>from the resource protecting filter to a saml requester 
>>service) where the eventual response would be the Saml 
>>AuthnRequest using PAOS?
> 
> 
> I can't see how that would be illegal, given that the client really isn't
> "doing the profile" until it gets back the PAOS envelope. As long as the
> HTTP request that results in the PAOS response contains the headers that
> indicate the client is prepared to do the profile...
> 
> Anyway, that's how I would read it, dunno about anyone else. I did a lot of
> work on the exact headers flowing around, but the profile by and large is
> just work done by the original author who mapped the ID-FF profile to PAOS,
> so I'm not exactly the "bible" on this.
> 
> -- Scott
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: security-services-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: security-services-help@lists.oasis-open.org
>