I have the following questions regarding Enhanced Client and
Proxy support.
- Are unsolicited responses supported for ECP? Web
SSO specifically discusses them (SAML Profiles, section 4.1.5), but ECP
profile does not mention it aside from a single sentence in 4.2.3.7.
It is also unclear whether both HTTP GET and POST requests need to be
supported for an unsolicited response if it is in fact supported (most ECP
requests must be done using POST since a SOAP message is being sent, but
an unsolicited response could be handled with a GET – the question
is whether a POST also needs to be supported).
- SAML profiles, section 4.2.3.4 (ECP issues
<AuthnRequest> to Identity Provider) states “…identity
provider MAY respond to the ECP’s HTTP request with an HTTP response
containing, for example, an HTML login form…”. It
further states “A sequence of HTTP exchanges MAY take place, but
ultimately the identity provider MUST complete the SAML SOAP exchange an
return a SAML response via the SOAP binding.” Can it be
assumed that the ECP MUST retain a copy of the HTTP request (SOAP message
containing the <AuthnRequest>) to be resent to the identity provider
in the event that an HTTP response requesting authentication has been
received by the ECP? There is not much definition regarding the
requirements and behavior of an enhanced client in this area, and if the
identity provider needs to redirect the ECP to an authentication URL the
posted SOAP message cannot be included in the redirect.
Thank you.
-Mark
|