RE: [security-services] ECP

[Thomas Wisniewski <Thomas.Wisniewski@entrust.com>]

Title: RE: [security-services] ECP

Scott, thanks.

The main issue I'm struggling with is conformance support. I.e., if we decide not to support any ECP clients and wish to be a compliant IDP and SP, this is not possible. Am I reading the conformance spec correctly? I.e., if we only supported standard web browser clients that can use either our SP or IDP, the conformance spec mandates that will are still required to support ECP requests. It seems like just rejecting the request at the SP with an appropriate soap (paos?) error is not what's meant by the conformance requirement.

Tom.

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: Wednesday, March 02, 2005 2:35 PM
To: 'Thomas Wisniewski'; 'SAML'
Subject: RE: [security-services] ECP

> Hi, I have a question related to ECP. Are the protected
> resources that the ECP accesses initially, defined in any
> standard manner (e.g., they have to be the same as any other
> resource on an SP accessible via other SAML profiles) -- or
> is this strictly up to the SP (e.g., certains resources at
> the SP are meant to be accessed by ECP clients, while other,
> different, resources are meant to be accessed by a saml web
> sso client)?
>
> I assume it's the latter from reading the spec.

I think it's up to the SP, but there's no requirement that they be
different. The motivation partly is to support a richer client accessing the
same HTML/etc. resources, since any other form of content is relatively
non-existent apart from maybe RSS feeds.

The HTTP headers signal ECP support to the SP so it can decide whether to
respond with SOAP as a challenge.

The trickier bit in my mind is how to handle the authn challenge at the IdP,
since it's relatively unspecified, but I got the general idea that a lot of
the current ECP deployments were bundled with particular IdPs (could be
wrong).

-- Scott