OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SSO Integration between desk top and web apps

The basic use case is that a user is running a desktop app, and authenticated.

They then, say, push a button and this launches a browser. The browser
hits an SP and is, somehow, already authenticated and information
merrily flows from there.

Is the Enhanced Client or Proxy (ECP) Profile best used for this? Is
there something else?

Looking at the ECP I can see this scenario.

1. The desktop app (the client) makes a request for a protected
resource, using a simple HTTP request.

2. The SP detects the PAOS signature in the HTTP headers, and returns
a normal AuthRequest, wrapped in a SOAP envelope.

3. The client extracts the AuthRequest from the SOAP envelope and call
an existing HTTP Redirect binding end point on the IdP.

4. The IdP detects PAOS, and replies with the AuthResponse in a SOAP envelope.

5. Finally, the client extracts from the SOAP envelope and packages
the AuthResponse in to an HTML Redirect Binding auto-submit form,
copies this to a local file on the desktop, and instructs the browser
to open the file. We may also put this in a server request to a client
specific web server. The browser opens the file, renders the page and
thereby submit the AuthResponse to the SP via the HTTP POST Binding.

6. The SP then sets up a session with the browser client (assuming
everything has gone well), and things move along from there.

Is this a valid use case of ECP? Or simply an abuse of it?

To complicate this use case, the client is part of a 3rd party, so
there's a federation issue. We were going to either trust the payloads
from the client, or have the 3rd party authorize the request through a
back channel request during authentication.

We also have a provisioning exchange we need to do, but that'll be
something ad hoc we come up with.

But we're trying to make the basic exchange as standard and profile
compliant as we can on the remote hope that it's going to give us some
interoperability in the future with other 3rd parties.

Right now, as a starting point, we have an IdP and SP that support the
v2 Web Profile with HTTP Redirect binding. If we really don't have a
"standard" that we can leverage, we'll just contrive something on our

Or should we consider OAuth?

But just curious what other folks are doing to try and enable this
kind of hand off.

Thank you.


Will Hartung

CONFIDENTIALITY NOTICE: The information contained in this electronic 
transmission may be confidential. If you are not an intended recipient, be 
aware that any disclosure, copying, distribution or use of the information 
contained in this transmission is prohibited and may be unlawful. If you 
have received this transmission in error, please notify us by email reply 
and then erase it from your computer system.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]