OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] ECP clarifications

On 6/29/15, 10:42 AM, "John Dennis" <jdennis@redhat.com> wrote:

>I'd like to get a couple of clarifications on the ECP protocol.
>* What is the meaning of IsPassive in the context of ECP?

Same as in the browser case, it's a constraint on the UI. The only difference is that the constraint is normally something applied to the client, rather than a web server that's driving the UI.

>With the more familiar Web SSO profiles IsPassive is supposed to control 
>whether the IdP can interact with the user agent. But with ECP there is 
>no user agent for the IdP to engage with.

Sure there is. It's just a more capable one. "User agent" in HTTP is the client. It doesn't mean browser.

> In addition the IsPassive flag 
>is set by the SP when initiating it's request to the ECP client which 
>implies it is the SP who is determining whether the authentication may 
>be interactive or not.

It's always the SP dictating that, in both profiles, though in ECP the client has its own autonomy in that regard too.

> But with ECP it is not intended there is a 
>request/response interchange between the IdP and the SP.

No, it is fully intended.

>Is the IsPassive flag in the SAML AuthnRequest to be interpreted
>independently of the ECP Request IsPassive flag and if so how and why?

It is not independent, it's a copy. I see what you're really asking is what the IdP is supposed to do with it, and in most cases the answer is probably nothing, but there are few constraints on the client/IdP part of the profile, so it's there in both places in case both parties to that exchange need to know about it.

>Is it intended the values be an exact copy between the ECP Request and
>the AuthnRequest?

I don't know if it's 100% required by the profile, but I'd honestly have to read it again. It's certainly intended that they be the same, yes.

>Are they repeated in the ECP Request for the sole convenience of the ECP 
>client such that it does not have to also parse the AuthnRequest to 
>obtain them?


-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]