Re: [saml-dev] Use of ECP Profile

["Conor P. Cahill" <concahill@aol.com>]

Jean-Noel Colin wrote on 10/25/2004, 6:25 AM:

 

If I base myself on the ECP profile, I guess that each service should send its own AuthnRequest to the IdentityProvider, but as the services may be distributed, I don't think I could use the Identity Provider Discovery Profile, which requires a common domain.

I'm not
sure you
need ECP at all, but with the ECP, the SPs don't need to know where the
IdP is, the ECP can know and direct the request appopriately.  This
depends on an intelligent client/proxy to do the IdP locating work.

Without the ECP,
you can do what you are trying to do by pushing the authentications to
the appropriate service (so that when the user is at SP-A, and the SP
wants to send the user to SP-B,  SP-A can submit an AuthnRequest to the
IdP that it already knows about asking for an authentication at SP-B. 
SP-B would have to be able to deal with such an incoming request, but
that's simply a trust model.  

The only issue would be the fact that SP-B would receive an unrequested
AuthnResponse that was associated with an AuthnRequest that it did not
submit.  To safely work around that, the two could agree on some
authenticator to be placed in the relay state.

Conor