[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Use of ECP Profile
Jean-Noel, Just to add to Conor's (correct!) answer - with an ECP, it is assumed that there is a very close connection between the ECP and some actual person operating the ECP (either the ECP /is/ part of the browsing software, or the ECP is part of some browsing proxy software). This gives both the SP and the IdP the chance to throw up some kind of immediate, obvious challenge to a real person (like a web page login form!). In a true web services world, one cannot /assume/ that either web service consumer or provider can throw a login form to an actual user. The ECP is thus specifically intended for /web/ SSO, allowing the ECP to initiate this process as an intermediary between an SP and an IdP. Cheers, - JohnK Conor P. Cahill wrote: >Jean-Noel Colin wrote on 10/25/2004, 2:24 PM: > >> Conor, >> >> Could you please explain in a few words why using browser/ECP is so different >> from service to service web service model? I thought that the calling service >> might be considered as an ECP in the ECP model. > >Because in order to use broser/ECP you have to pass control of the user (via >re-direct) to the other service. You can invoke services this way (by putting >data in an agreed to place in the URL and/or form data (as we do for >AuthnRequest)), but SP-A would loose control of the user. This is not a real >server-to-server call and has alot of repercussions for the SP and for the user. > >You might ask: Is it possible that an SP can act as an ECP and handle all the >necessary UI in order to authenticate a user? > >The answer would, for the most part, be NO because the IdP likely has stored >some session related information in the ECP sitting in front of SP-A which would >not be available in the emulated ECP at SP-A, so the user would have to be >prompted for credentials (since the IdP would not find an existing session >cookie in the ECP) at each step of the process, thereby loosing any potential >benefit of SSO. > >Conor > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]