OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] ECP

> Hi, I have a question related to ECP. Are the protected 
> resources that the ECP accesses initially, defined in any 
> standard manner (e.g., they have to be the same as any other 
> resource on an SP accessible via other SAML profiles) -- or 
> is this strictly up to the SP (e.g., certains resources at 
> the SP are meant to be accessed by ECP clients, while other, 
> different, resources are meant to be accessed by a saml web 
> sso client)?
> I assume it's the latter from reading the spec. 

I think it's up to the SP, but there's no requirement that they be
different. The motivation partly is to support a richer client accessing the
same HTML/etc. resources, since any other form of content is relatively
non-existent apart from maybe RSS feeds.

The HTTP headers signal ECP support to the SP so it can decide whether to
respond with SOAP as a challenge.

The trickier bit in my mind is how to handle the authn challenge at the IdP,
since it's relatively unspecified, but I got the general idea that a lot of
the current ECP deployments were bundled with particular IdPs (could be

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]