Hi all, As I mentioned in my previous email, I completed my research on the ECP profile and started to implement it for WSO2 identity server. For testing purposes I needed an ECP enabled Service Provider and a client. For that I used Shibboleth SP and a Simple Bash client[1] provided by Shibboleth.
I created a new Servlet called SAMLECPProviderServlet to capture the SOAP binded SAML authentication request sent by the Enhanced Client.The basic auth credentials (username and password) were sent by the client to the IDP in the http request authorization header. Using a request wrapper, basic auth credentials were set to the sectoken parameter, the saml request was extracted from the soap envelope and forwarded the new request to the SAMLSSOProviderServlet. Then the request could process in the way that the Request Path Authenticator works. Inside the SAMLSSOServlet , for the requests from the ECP clients a separate response was created where the saml response was enclosed in a soap envelope. However, since the client is browserless there is an issue in providing user consents. When I disabled SSO Consent Management from the server and tested the client, the client worked fine. Now I am working on finding a way to give the user consents without the browser. [1] https://wiki.shibboleth.net/confluence/display/SHIB2/Contributions#Contributions-simplebash Thank you! Winma On Mon, Sep 3, 2018 at 10:57 PM Winma Heenatigala <wi...@wso2.com> wrote: > > Hi all, > > I am working on a project to implement SAML ECP profile for WSO2 IS. > Here is a brief summary on my project progress. > > *Introduction* > Web Based SSO profile supports for browser based clients to SSO.In > contrast SAML ECP(Enhanced Clients or Proxies) profile supports non-browser > based clients such as desktop clients to SSO. > > *Progress* > I researched on existing IDPs that has SAML ECP profile implemented.From > my research results I found that Shibboleth is the best among the ECP > enabled IDPs. As the initial step to the project I downloaded an existing > ECP client and connected it with Shibboleth to examined how the ECP client > works. > > During the discussion held today, we discussed about how the message flow > happens in the ECP. During the meeting we verified that although the SP > sends a set of IDP s in the Response message, the ECP actually choses the > IDP on its own and the client itself must validates whether the choosen IDP > is one of the IDPs accepted by the SP. We also discussed on the importance > of having RelayState. > > > The following documents were written on connecting the ECP client with > Shibboleth. > > https://medium.com/@winma.15/installation-of-shibboleth-idp-in-ubuntu-3acc57075cad > > https://medium.com/@winma.15/shibboleth-sp-installation-in-ubuntu-d284b8d850da > > https://medium.com/@winma.15/connecting-ecp-with-shibboleth-using-wso2-identity-server-user-store-540f616ee968 > > Thank you! > Winma > > > *Winma Heenatigala* > *Trainee Software Engineer | WSO2* > > *Mobile : +94719132444* > > > > -- *Winma Heenatigala* *Trainee Software Engineer | WSO2* *Mobile : +94719132444*
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
