OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] Use of ECP Profile




Jean-Noel Colin wrote on 10/25/2004, 2:24 PM:

Conor,
 
Could you please explain in a few words why using browser/ECP is so different from service to service web service model? I thought that the calling service might be considered as an ECP in the ECP model.
Because in order to use broser/ECP you have to pass control of the user (via re-direct) to the other service.  You can invoke services this way (by putting data in an agreed to place in the URL and/or form data (as we do for AuthnRequest)), but SP-A would loose control of the user.  This is not a real server-to-server call and has alot of repercussions for the SP and for the user.

You might ask: Is it possible that an SP can act as an ECP and handle all the necessary UI in order to authenticate a user?

The answer would, for the most part, be NO because the IdP likely has stored some session related information in the ECP sitting in front of SP-A which would not be available in the emulated ECP at SP-A, so the user would have to be prompted for credentials (since the IdP would not find an existing session cookie in the ECP) at each step of the process, thereby loosing any potential benefit of SSO.

Conor



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]