OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [saml-dev] SSO Integration between desk top and web apps


On 12/10/12 8:07 PM, "Will Hartung" <willh@mirthcorp.com> wrote:

>Is the Enhanced Client or Proxy (ECP) Profile best used for this? Is
>there something else?

Yeah, I would say Kerberos and SPNEGO are an obvious candidate.

>Looking at the ECP I can see this scenario.

>5. Finally, the client extracts from the SOAP envelope and packages
>the AuthResponse in to an HTML Redirect Binding auto-submit form,

That's not ECP, that's something you just made up. ECP is a SOAP request
back to the SP, not an HTML form.

>Is this a valid use case of ECP? Or simply an abuse of it?

Neither, it's invented by you on the spot. It's 3/4 ECP, 1/4 Browser SSO,
I guess.

Some SPs wouldn't know the difference, it would depend on the
implementation.

>To complicate this use case, the client is part of a 3rd party, so
>there's a federation issue. We were going to either trust the payloads
>from the client, or have the 3rd party authorize the request through a
>back channel request during authentication.

I don't know what that means.

>Or should we consider OAuth?

I have no doubt you can manufacture something with OAuth. I think it will
as standard a flow as anything in SAML, which is to say, not.


>But just curious what other folks are doing to try and enable this
>kind of hand off.

I definitely know of sites that use Kerberos.

-- Scott




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]