RE: [saml-dev] Use of ECP Profile

["Jean-Noel Colin" <jean-noel.colin@oxys.be>]

Conor,

 

What do you mean by ' broser/ECP you have to pass control of the user (via re-direct) to the other service.'? What is 'control of the user'? The way I understood the profile was that when the ECP receives an AuthnRequest from the SP, it simply forwards it to the IdP, that if necessary, interacts with the user to establish a security context, and then replies with Authn Assertions. As all exchanges between modules are SOAP based, I guess we can pass whatever content we want in the messages, can't we?

In any case, I don't want the SP to interact with the user directly or handle UI to authenticate him.

 

I might have not been clear while explaining my architecture, so let me put a small picture:

 

As you can see, users are only known by their Managed Learning Environment (MLE). This is an autonomous application, which does its own user management, and, among other tasks, performs users authentication. This software is accessed through a web interface (portal).

We are building extensions to this platform, that take the form of 'services', i.e. external modules, running in arbitrary locations, accessible only through a Web Service interface. The conductor itself is a service, that is used to 'orchestrate' the invocation of the 'core' services.

Our requirement is that a service should only serve request from authenticated sources, i.e. from a user's session at a MLE who has successfully authenticated. The only existing piece of software that we will reuse is the MLE; all services will be written from scratch. The way I see it is that the MLE should present an interface to the Services that allows it to play an IdP role (or whatever role is required). Any developed service should be 'SSO-enabled', i.e. include the steps to meet the identity requirement described above.

 

So I guess in that model, the MLE would play the role of IdP, while the Services (including the Conductor) would act as Service Providers. So I thought interaction between MLE and Conductor could follow the ECP profile, but I could not see how interaction between Conductor and Services would fit in this model.

 

So looking at this picture, what would be your recommendation? I must say that for political reasons (that I personally regret), Liberty can't be implemented as such, although we will probably end up implementing something similar.

 

Once again, thank you very much for your help

 

Jean-Noel

 

---

From: Conor P. Cahill [mailto:concahill@aol.com]
Sent: lundi 25 octobre 2004 20:52
To: Jean-Noel Colin
Cc: saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] Use of ECP Profile

Jean-Noel Colin wrote on 10/25/2004, 2:24 PM:

Conor,

 

Could you please explain in a few words why using browser/ECP is so different from service to service web service model? I thought that the calling service might be considered as an ECP in the ECP model.

Because in order to use broser/ECP you have to 
pass control of the user (via re-direct) to the other service.  You can 
invoke services this way (by putting data in an agreed to place in the URL 
and/or form data (as we do for AuthnRequest)), but SP-A would loose control of 
the user.  This is not a real server-to-server call and has alot of 
repercussions for the SP and for the user.

You might ask: Is it possible 
that an SP can act as an ECP and handle all the necessary UI in order to 
authenticate a user?

The answer would, for the most part, be NO because 
the IdP likely has stored some session related information in the ECP sitting in 
front of SP-A which would not be available in the emulated ECP at SP-A, so the 
user would have to be prompted for credentials (since the IdP would not find an 
existing session cookie in the ECP) at each step of the process, thereby loosing 
any potential benefit of SSO.

Conor