@IAM team <iam-gr...@wso2.com> why not we use the inbound framework for this task. Then we don't need to register a new servlet, just write the connector to process the SOAP message. The implementation will be much simpler, and it will save effort in writing JDBC logic in storing properties, etc.
@Harsha Thirimanna <hars...@wso2.com> @Pushpalanka Jayawardhana <la...@wso2.com> did a similar implementation for a customer successfully. May be we can get some pointers from it. @Winma Heenatigala <wi...@wso2.com> to overcome the consent issue, I think we need a way to dynamically suppress the consent page. May be introduce a new request attribute for this, which can only set by other components by calling the API (not by the HTTP request). Regards, Johann. On Fri, Sep 28, 2018 at 11:32 AM Winma Heenatigala <wi...@wso2.com> wrote: > Hi all, > > As I mentioned in my previous email, I completed my research on the ECP > profile and started to implement it for WSO2 identity server. > For testing purposes I needed an ECP enabled Service Provider and a > client. For that I used Shibboleth SP and a Simple Bash client[1] provided > by Shibboleth. > > I created a new Servlet called SAMLECPProviderServlet to capture the > SOAP binded SAML authentication request sent by the Enhanced Client.The > basic auth credentials (username and password) were sent by the client to > the IDP in the http request authorization header. Using a request wrapper, > basic auth credentials were set to the sectoken parameter, the saml request > was extracted from the soap envelope and forwarded the new request to the > SAMLSSOProviderServlet. Then the request could process in the way that the > Request Path Authenticator works. Inside the SAMLSSOServlet , for the > requests from the ECP clients a separate response was created where the > saml response was enclosed in a soap envelope. > > However, since the client is browserless there is an issue in providing > user consents. When I disabled SSO Consent Management from the server and > tested the client, the client worked fine. > Now I am working on finding a way to give the user consents without the > browser. > > [1] > https://wiki.shibboleth.net/confluence/display/SHIB2/Contributions#Contributions-simplebash > > Thank you! > Winma > > > On Mon, Sep 3, 2018 at 10:57 PM Winma Heenatigala <wi...@wso2.com> wrote: > >> >> Hi all, >> >> I am working on a project to implement SAML ECP profile for WSO2 IS. >> Here is a brief summary on my project progress. >> >> *Introduction* >> Web Based SSO profile supports for browser based clients to SSO.In >> contrast SAML ECP(Enhanced Clients or Proxies) profile supports non-browser >> based clients such as desktop clients to SSO. >> >> *Progress* >> I researched on existing IDPs that has SAML ECP profile implemented.From >> my research results I found that Shibboleth is the best among the ECP >> enabled IDPs. As the initial step to the project I downloaded an existing >> ECP client and connected it with Shibboleth to examined how the ECP client >> works. >> >> During the discussion held today, we discussed about how the message flow >> happens in the ECP. During the meeting we verified that although the SP >> sends a set of IDP s in the Response message, the ECP actually choses the >> IDP on its own and the client itself must validates whether the choosen IDP >> is one of the IDPs accepted by the SP. We also discussed on the importance >> of having RelayState. >> >> >> The following documents were written on connecting the ECP client with >> Shibboleth. >> >> https://medium.com/@winma.15/installation-of-shibboleth-idp-in-ubuntu-3acc57075cad >> >> https://medium.com/@winma.15/shibboleth-sp-installation-in-ubuntu-d284b8d850da >> >> https://medium.com/@winma.15/connecting-ecp-with-shibboleth-using-wso2-identity-server-user-store-540f616ee968 >> >> Thank you! >> Winma >> >> >> *Winma Heenatigala* >> *Trainee Software Engineer | WSO2* >> >> *Mobile : +94719132444* >> >> >> >> > > -- > > *Winma Heenatigala* > *Trainee Software Engineer | WSO2* > > *Mobile : +94719132444* > > > > -- > You received this message because you are subscribed to the Google Groups > "WSO2 Engineering Group" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to engineering-group+unsubscr...@wso2.com. > For more options, visit https://groups.google.com/a/wso2.com/d/optout. > -- *Johann Dilantha Nallathamby* Senior Lead Solutions Engineer WSO2, Inc. lean.enterprise.middleware Mobile: *+94 77 7776950* LinkedIn: *http://www.linkedin.com/in/johann-nallathamby <http://www.linkedin.com/in/johann-nallathamby>* Medium: *https://medium.com/@johann_nallathamby <https://medium.com/@johann_nallathamby>* Twitter: *@dj_nallaa*
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
