OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Use of ECP Profile

Dear Conor,
 
Thank you very much for your suggestion.
 
Regarding the use of ECP, I fully agree that a SP does not have to know where the IdP is, but as in my case, a SP may also be a ECP (in case of service chain), it means that each SP in the chain has to know which IdP to use, or that this information is carried in the request for service.
 
Regarding your suggestion of not using ECP, does this mean that SP-A would adjust the AssertionConsumerServiceURL attribute to point to SP-B? What would be the workflow?
 
User's environment (UE) invokes SP-A
SP-A sends an AuthnReq to UE
UE sends the AuthnReq to its (known) IdP
IdP respond to UE with a Response containing AuthnAssertions
UE sends this response to SP-A
 
To complete the request, SP-A needs to invoke a service from SP-B.
If SP-A submits an AuthnRequest to IdP for SP-B, if IdP sends the AuthnResponse to SP-B, SP-B does not know about the service that is being invoked (as SP-A did not issue the call)
If IdP sends the AuthnResponse to SP-A, this requires that SP-A is able to send this back to SP-B with the call parameters.
 
What if we have an arbitrarily long chain? SP-B may in turn call SP-C which will call SP-D. In this case, how does SP-B know which IdP to contact?
 
Thanks a lot for your help
 
Jean-Noel
 

From: Conor P. Cahill [mailto:concahill@aol.com]
Sent: lundi 25 octobre 2004 13:40
To: Jean-Noel Colin
Cc: saml-dev@lists.oasis-open.org
Subject: Re: [saml-dev] Use of ECP Profile


Jean-Noel Colin wrote on 10/25/2004, 6:25 AM:

 
If I base myself on the ECP profile, I guess that each service should send its own AuthnRequest to the IdentityProvider, but as the services may be distributed, I don't think I could use the Identity Provider Discovery Profile, which requires a common domain.
I'm not sure you need ECP at all, but with the ECP, the SPs don't need to know where the IdP is, the ECP can know and direct the request appopriately.  This depends on an intelligent client/proxy to do the IdP locating work.

Without the ECP, you can do what you are trying to do by pushing the authentications to the appropriate service (so that when the user is at SP-A, and the SP wants to send the user to SP-B,  SP-A can submit an AuthnRequest to the IdP that it already knows about asking for an authentication at SP-B.  SP-B would have to be able to deal with such an incoming request, but that's simply a trust model. 

The only issue would be the fact that SP-B would receive an unrequested AuthnResponse that was associated with an AuthnRequest that it did not submit.  To safely work around that, the two could agree on some authenticator to be placed in the relay state.

Conor

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]