Recently, I was going through a video here that talked about a SAML active profile, where the client directly gets a SAML token from an identity provider and then, submits requests to the service provider using that token, instead of the usual WebSSO profile that has SP-initiated or IdP-initiated requests. Are there any good references about this kind of implementation? What is the formal name of this profile in the SAML specification?
Asked
Active
Viewed 954 times
1 Answers
3
Not having seen the video, it probably talked about the Enhanced Client or Proxy (ECP) profile of SAML. This profile allows enhanced clients (e.g. browser with embedded SAML-ECP capabilities) and reverse proxies (e.g. proxy used by your mobile operator which is able to authenticate you with an IDP based on the SIM card you use) to communicate with IDP using SOAP protocol (using Authentication Request protocol).
The binding used for this profile is PAOS. With PAOS service provider responds to an HTTP request with a SOAP message containing a SAML message, e.g. AuthnRequest.
User requests a resource by sending a standard HTTP request, service provider requests authentication by sending back an AuthnRequest wrapped in SOAP Enveloped inside the HTTP response. ECP then knows how to obtain response from IDP (again using SOAP) and pass it back to service provider.
ECP could also obtain a SAML Response before contacting SP and provide it with the first HTTP request it sends.
You can find details in saml2-profiles document. There are few IDPs with support for this (e.g. OpenAM), also some SPs (e.g. Spring SAML), but there's very few ECP-enabled clients available.
Vladimír Schäfer
- 15,375
- 2
- 51
- 71