Shibboleth Developers

["Cantor, Scott E." <>]

> a) I read through the ECP profile in the SAMl2 profiles document and do not
> understand how to authenticate the principal with the IdP.

The only supported mechanism with the extension right now is HTTP basic 
authentication. You have to configure the web server to handle that in front 
of the relevant URL within the IdP, and get REMOTE_USER set.

> My ECP client is a front for web services that send
> the credentials in basic auth headers.

I don't know what that means, but I'm not sure it matters.

> What I do not understand from the lines 814-818, lines 876-886 and lines 
> 1089-1094
> is how do I convey the credentials from the basic auth headers to the IdP 
> as a part
> of the ECP-IdP dispatch of the SP-issued AuthnResponse.

Request, not Response. You do it with basic authentication, like any other 
case. Your HTTP client has to have support for that. They all do. The SOAP 
envelope is transmitted in the body of the HTTP POST and the credentials have 
to be in the usual HTTP headers.

> b) Once the ECP client obtains the assertion from the IdP

Response, not Assertion. You do not deal with assertions. This matters, 
because you'll get it wrong if you don't understand the difference.

> and the ECP client has identified the
> assertion consumer URL from SP's original message (lines 1052-1056), with

And cross-checked it against the header from the IdP. If you get that wrong, 
you are also in trouble.

> what protocol (HTTP-GET or PUT) do I convey the
> assertion to the SP and obtain the SP-specific session token?

PAOS messages are bound to HTTP in the same way any other use is, so the 
method is a POST.
 
-- Scott