Hi all,

I am working on my project to implement SAML ECP(Enhanced Client or proxy)
profile for WSO2 Identity Server.

In contrast to the SAML Web based SSO, SAML ECP profile is related to
browserless clients. The following diagram shows how the message flow
happens.




For testing purposes I needed an ECP enabled Service Provider and a client.
For that, I used Shibboleth SP and a Simple Bash client[1] provided by
Shibboleth.

I created a new Servlet called SAMLECPProviderServlet to capture the SOAP
bound SAML authentication request sent by the Enhanced Client. The basic
auth credentials (username and password) were sent by the client to the IDP
in the HTTP request authorization header. Using a request wrapper, basic
auth credentials were set to the sectoken parameter, the saml request was
extracted from the soap envelope and forwarded the new request to the
SAMLSSOProviderServlet. Then the request could process in the way that the
Request Path Authenticator works. Inside the SAMLSSOServlet, for the
requests from the ECP clients, a separate response was created where the
saml response was enclosed in a soap envelope.

Since the client is browserless there is an issue in providing user
consents. I am looking for a way that our identity server can use to get
consents from the users without using the browser. (using the bash
client).Your valued suggestions are highly appreciated.

Thank you!

-- 

*Winma Heenatigala*
*Trainee Software Engineer | WSO2*

*Mobile     : +94719132444*
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to