shibboleth-dev - RE: [Shib-Dev] ECP-IdP interaction
Subject: Shibboleth Developers
List archive
- From: "Cantor, Scott E." <>
- To: "" <>
- Subject: RE: [Shib-Dev] ECP-IdP interaction
- Date: Wed, 16 Mar 2011 22:32:35 +0000
- Accept-language: en-US
> a) I read through the ECP profile in the SAMl2 profiles document and do not
> understand how to authenticate the principal with the IdP.
The only supported mechanism with the extension right now is HTTP basic
authentication. You have to configure the web server to handle that in front
of the relevant URL within the IdP, and get REMOTE_USER set.
> My ECP client is a front for web services that send
> the credentials in basic auth headers.
I don't know what that means, but I'm not sure it matters.
> What I do not understand from the lines 814-818, lines 876-886 and lines
> 1089-1094
> is how do I convey the credentials from the basic auth headers to the IdP
> as a part
> of the ECP-IdP dispatch of the SP-issued AuthnResponse.
Request, not Response. You do it with basic authentication, like any other
case. Your HTTP client has to have support for that. They all do. The SOAP
envelope is transmitted in the body of the HTTP POST and the credentials have
to be in the usual HTTP headers.
> b) Once the ECP client obtains the assertion from the IdP
Response, not Assertion. You do not deal with assertions. This matters,
because you'll get it wrong if you don't understand the difference.
> and the ECP client has identified the
> assertion consumer URL from SP's original message (lines 1052-1056), with
And cross-checked it against the header from the IdP. If you get that wrong,
you are also in trouble.
> what protocol (HTTP-GET or PUT) do I convey the
> assertion to the SP and obtain the SP-specific session token?
PAOS messages are bound to HTTP in the same way any other use is, so the
method is a POST.
-- Scott
- [Shib-Dev] ECP-IdP interaction, Kobe, 03/16/2011
- Re: [Shib-Dev] ECP-IdP interaction, Scott Lowery, 03/16/2011
- RE: [Shib-Dev] ECP-IdP interaction, Cantor, Scott E., 03/16/2011
Archive powered by MHonArc 2.6.16.