On Fri, Sep 28, 2018 at 11:32 AM Winma Heenatigala <wi...@wso2.com> wrote:
> Hi all, > > As I mentioned in my previous email, I completed my research on the ECP > profile and started to implement it for WSO2 identity server. > For testing purposes I needed an ECP enabled Service Provider and a > client. For that I used Shibboleth SP and a Simple Bash client[1] provided > by Shibboleth. > > I created a new Servlet called SAMLECPProviderServlet to capture the > SOAP binded SAML authentication request sent by the Enhanced Client.The > basic auth credentials (username and password) were sent by the client to > the IDP in the http request authorization header. Using a request wrapper, > basic auth credentials were set to the sectoken parameter, the saml request > was extracted from the soap envelope and forwarded the new request to the > SAMLSSOProviderServlet. Then the request could process in the way that the > Request Path Authenticator works. Inside the SAMLSSOServlet , for the > requests from the ECP clients a separate response was created where the > saml response was enclosed in a soap envelope. > > However, since the client is browserless there is an issue in providing > user consents. When I disabled SSO Consent Management from the server and > tested the client, the client worked fine. > Now I am working on finding a way to give the user consents without the > browser. > Currenty, Identity Server does not support managing consents for non browser based authentications. Thanks Isura. > > [1] > https://wiki.shibboleth.net/confluence/display/SHIB2/Contributions#Contributions-simplebash > > Thank you! > Winma > > > On Mon, Sep 3, 2018 at 10:57 PM Winma Heenatigala <wi...@wso2.com> wrote: > >> >> Hi all, >> >> I am working on a project to implement SAML ECP profile for WSO2 IS. >> Here is a brief summary on my project progress. >> >> *Introduction* >> Web Based SSO profile supports for browser based clients to SSO.In >> contrast SAML ECP(Enhanced Clients or Proxies) profile supports non-browser >> based clients such as desktop clients to SSO. >> >> *Progress* >> I researched on existing IDPs that has SAML ECP profile implemented.From >> my research results I found that Shibboleth is the best among the ECP >> enabled IDPs. As the initial step to the project I downloaded an existing >> ECP client and connected it with Shibboleth to examined how the ECP client >> works. >> >> During the discussion held today, we discussed about how the message flow >> happens in the ECP. During the meeting we verified that although the SP >> sends a set of IDP s in the Response message, the ECP actually choses the >> IDP on its own and the client itself must validates whether the choosen IDP >> is one of the IDPs accepted by the SP. We also discussed on the importance >> of having RelayState. >> >> >> The following documents were written on connecting the ECP client with >> Shibboleth. >> >> https://medium.com/@winma.15/installation-of-shibboleth-idp-in-ubuntu-3acc57075cad >> >> https://medium.com/@winma.15/shibboleth-sp-installation-in-ubuntu-d284b8d850da >> >> https://medium.com/@winma.15/connecting-ecp-with-shibboleth-using-wso2-identity-server-user-store-540f616ee968 >> >> Thank you! >> Winma >> >> >> *Winma Heenatigala* >> *Trainee Software Engineer | WSO2* >> >> *Mobile : +94719132444* >> >> >> >> > > -- > > *Winma Heenatigala* > *Trainee Software Engineer | WSO2* > > *Mobile : +94719132444* > > > > -- *Isura Dilhara Karunaratne* Associate Technical Lead | WSO2 <http://wso2.com/> *lean.enterprise.middleware* Email: is...@wso2.com Mob : +94 772 254 810 Blog : http://isurad.blogspot.com/
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture