[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SSO Integration between desk top and web apps
The basic use case is that a user is running a desktop app, and authenticated. They then, say, push a button and this launches a browser. The browser hits an SP and is, somehow, already authenticated and information merrily flows from there. Is the Enhanced Client or Proxy (ECP) Profile best used for this? Is there something else? Looking at the ECP I can see this scenario. 1. The desktop app (the client) makes a request for a protected resource, using a simple HTTP request. 2. The SP detects the PAOS signature in the HTTP headers, and returns a normal AuthRequest, wrapped in a SOAP envelope. 3. The client extracts the AuthRequest from the SOAP envelope and call an existing HTTP Redirect binding end point on the IdP. 4. The IdP detects PAOS, and replies with the AuthResponse in a SOAP envelope. 5. Finally, the client extracts from the SOAP envelope and packages the AuthResponse in to an HTML Redirect Binding auto-submit form, copies this to a local file on the desktop, and instructs the browser to open the file. We may also put this in a server request to a client specific web server. The browser opens the file, renders the page and thereby submit the AuthResponse to the SP via the HTTP POST Binding. 6. The SP then sets up a session with the browser client (assuming everything has gone well), and things move along from there. Is this a valid use case of ECP? Or simply an abuse of it? To complicate this use case, the client is part of a 3rd party, so there's a federation issue. We were going to either trust the payloads from the client, or have the 3rd party authorize the request through a back channel request during authentication. We also have a provisioning exchange we need to do, but that'll be something ad hoc we come up with. But we're trying to make the basic exchange as standard and profile compliant as we can on the remote hope that it's going to give us some interoperability in the future with other 3rd parties. Right now, as a starting point, we have an IdP and SP that support the v2 Web Profile with HTTP Redirect binding. If we really don't have a "standard" that we can leverage, we'll just contrive something on our own. Or should we consider OAuth? But just curious what other folks are doing to try and enable this kind of hand off. Thank you. Regards, Will Hartung (email@example.com) -- CONFIDENTIALITY NOTICE: The information contained in this electronic transmission may be confidential. If you are not an intended recipient, be aware that any disclosure, copying, distribution or use of the information contained in this transmission is prohibited and may be unlawful. If you have received this transmission in error, please notify us by email reply and then erase it from your computer system.