OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] ECP

The PEP itself MIGHT be ECP-aware, but IMO it should not HAVE to be
ECP-aware.  In the example I was describing, I'd like to have my COTS
WAM product (e.g. RSA ClearTrust :-)) protecting web server resources
for any type of HTTP-based web access. These PEP's typically have a web
agent that intercepts requests for resources and requires the user to be
logged in or they don't get through. If not logged in, they typically
redirect the user to the WAM product's local logon service.  To
SAML-enable such an environment, I would like to just configure this PEP
to send the clients to an ECP-aware SAML logon service instead of the
local logon service. In our case, we do this through simple
configuration options. This means we don't have to directly SAML-enable
or ECP-enable the PEP itself.  If the SAML logon service detects a
standard browser client, then it would take care of IDP selection and
starting the standard Web SSO browser profile. If it detects an ECP
client, it jumps into the ECP profile logic.

I agree with Scott that it's the client's responsibility to continue
passing the PAOS header info wherever the client goes or gets sent.

As long as the PEP can just ignore a PAOS header if it receives one from
a client (i.e. it doesn't reject the client), then these existing PEP's
can be integrated with SAML environments.

At least in the Web Access Management (WAM) arena, that's how we see
this working.

Now, of course, we've not yet actually had access to a real live ECP
client to try this stuff out... so if any of those client developers are
out there, please pipe in here...

Rob Philpott
Senior Consulting Engineer 
RSA Security Inc. 
Tel: 781-515-7115 
Mobile: 617-510-0893 
Fax: 781-515-7020 

> -----Original Message-----
> From: Scott Cantor [mailto:scantor@wideopenwest.com]
> Sent: Wednesday, March 02, 2005 9:08 PM
> To: 'Thomas Wisniewski'; Philpott, Robert
> Cc: 'SAML'
> Subject: RE: [security-services] ECP
> > Assuming an http redirection, does the PEP, in your
> > discussion below, need to somehow pass or preserve the HTTP
> > header defining "PAOS: ..., etc", or is it the responsibility
> > of the ECP to resend them as part of the redirection? To put
> > it another way, does the PEP need to be ECP-aware?
> I think it's the client's responsibility, as it's the PAOS-enabled
> We should ask one of the client developers, but I bet their devices
> always send the header if they're configured to support the service.
> -- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]