Re: [saml-dev] Question: SSO and ECP profiles sharing the same URL.

["Conor P. Cahill" <concahill@aol.com>]

Dave Tessman wrote on 1/4/2005, 12:05 AM:

If I have a SAML 2.0 protected resource located at a particular URL, how does a Service Provider know that the requestor of the resource is using the Web SSO Binding or the ECP Binding?  Must they be at separate URLs or is there some mechanism (HTTP header values?) such that an ECP can let the Service Provider know that it is more than a browser?

Just a nit, but there's no such thing as a "SAML 2.0 protected resource"  there are protected resources and there are SAML 2.0 profiles that are used to identify the requestor and determine if they can have access to the resource.

On to your question:  No separate URLs are necessary.  When an ECP submits a request to the SP, it places headers in the request that indicate to the SP that it supports the ECP profile (essentially a PAOS header which includes a service value of "urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp".

So the SP can see that the ecp is there and behave accordingly (if it chooses to).

Note that the ECP does not *know* that there is a protected resource there, it just places that header into each request to the SP and the SP says, "ah...this resources is protected so I need more information" and starts looking for a way to identify the caller.

Conor