ECP SSO Profile and Metadata

[Thomas Wisniewski <Thomas.Wisniewski@entrust.com>]

Title: Message

Hi, I just wanted to confirm the following from someone:

 

1. When the ECP talks to the IDP, the IDP SSP Descriptor metadata setting it would use would be the Single Sign-On Service endpoint with a binding of urn:...:SOAP.

 

2. When an SP publishes its metadata, what is the binding of the Assertion Consumer Service endpoint that is used by ECP callers. I.e., is it urn:...:SOAP or is it urn:...PAOS? Since the IDP doesn't really care/know about ECP, I assume the value should be urn:...:SOAP?

 

3. When the IDP is sending back a response to the ECP,  it should only ever be sending this back to an Assertion Consumer Service whose endpoint is SOAP/PAOS (as answered in 2 above)? I.e., for a SOAP binding based AuthnRequest, the assertion consumer url that gets identified (whether by the AuthnRequest data such as AssertionConsumerServiceURL, AssertionConsumerServiceIndex, ProtocolBinding,   or whether by the  IDP using the default endpoint for this service) must have a binding of SOAP/PAOS for things to work.

 

4. I assume the ECP examples related to xxxConsumerURL in [SAMLProf] should probably be fixed so that they correlate. I.e., the SP is sending a value of http://identity-service.example.com/abc whereas this should be the assertion consumer url that the IDP defines in the ecp:Response AssertionConsumerServiceURL?

 

Thanks, Tom.

Thomas Wisniewski
Software Architect
Phone: (201) 891-0524
Cell: (201) 248-3668
 
EntrustÒ
Securing Digital Identities
& Information