OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [saml-dev] Use of ECP Profile


Jean-Noel,

Just to add to Conor's (correct!) answer - with an ECP, it is assumed 
that there is a very close connection between the ECP and some actual 
person operating the ECP (either the ECP /is/ part of the browsing 
software, or the ECP is part of some browsing proxy software). This 
gives both the SP and the IdP the chance to throw up some kind of 
immediate, obvious challenge to a real person (like a web page login 
form!). In a true web services world, one cannot /assume/ that either 
web service consumer or provider can throw a login form to an actual 
user. The ECP is thus specifically intended for /web/ SSO, allowing the 
ECP to initiate this process as an intermediary between an SP and an IdP.

Cheers,

- JohnK

Conor P. Cahill wrote:

>Jean-Noel Colin wrote on 10/25/2004, 2:24 PM:
>
>> Conor,
>>  
>> Could you please explain in a few words why using browser/ECP is so different 
>> from service to service web service model? I thought that the calling service 
>> might be considered as an ECP in the ECP model.
>
>Because in order to use broser/ECP you have to pass control of the user (via 
>re-direct) to the other service.  You can invoke services this way (by putting 
>data in an agreed to place in the URL and/or form data (as we do for 
>AuthnRequest)), but SP-A would loose control of the user.  This is not a real 
>server-to-server call and has alot of repercussions for the SP and for the user.
>
>You might ask: Is it possible that an SP can act as an ECP and handle all the 
>necessary UI in order to authenticate a user?
>
>The answer would, for the most part, be NO because the IdP likely has stored 
>some session related information in the ECP sitting in front of SP-A which would 
>not be available in the emulated ECP at SP-A, so the user would have to be 
>prompted for credentials (since the IdP would not find an existing session 
>cookie in the ECP) at each step of the process, thereby loosing any potential 
>benefit of SSO.
>
>Conor
>
>  
>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]