Setting up ECP in shibboleth SP

Anand Somani meatforums at gmail.com
Tue Jan 3 14:11:46 GMT 2012 

I am using the reference from
http://scm.iaasframework.com/hg/iaas-security/file/68ed40d91214/EcpProxy.
My current work is just a prototype to get a basic understanding of the
flow, what I really need is a library (ECP client and openSAML) for .Net,
any recommendations?

On Mon, Jan 2, 2012 at 6:36 PM, Eric Dalquist
<eric.dalquist at doit.wisc.edu>wrote:

>  What are you using for an ECP client right now? Various uPortal
> associated portlets support ECP for delegated authentication. You can see
> source for the library that enables this here:
> https://source.jasig.org/sandbox/delegated-saml-authentication/trunk/
>
> The idea is that the library provides a customized commons-httpclient 3.1
> HttpClient class which sets the correct PAOS header and content type to
> notify the SP that ECP is supported by the client. If the SP provides the
> correct response the library handles the auth and the result is a HttpState
> which contains all the shib cookies and such.
>
> Another developer wrote the initial code but I've done a lot of
> maintenance on the library since then.
>
> -Eric
>
>
> On 1/2/12 5:55 PM, Anand Somani wrote:
>
> But if I use the SSO browser profile, on auth failure I get redirected
> back to SP with a message that access was denied.
>
> I understand that with the container based approach it is not possible to
> do this, but why is it that Shibboleth (for ECP profile) uses the container
> auth (
> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthRemoteUser)
> and not the external auth (
> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthExternal). It
> seems like with ExternalAuth it would be possible to return a SOAP error
> instead of 401.
>
> What would be the best thing to do, if I wanted to write a ECP Client
> then, I mean if things are not in the spec then it would almost depend on
> the IDP implementation which would force the client to be customizable and
> hence a headache to maintain?
>
>
> On Mon, Jan 2, 2012 at 3:15 PM, Chad La Joie <lajoie at shibboleth.net>wrote:
>
>> In my opinion, and Scott may disagree, but because the SAML spec does
>> not actually cover authentication it also doesn't cover the case when
>> authentication is done by an external system and fails.
>>
>> In a perfect world, I would want the IdP to return a SAML error saying
>> authentication failed.  But there is no way to actually do that when you
>> call out to another system and it never returns control back to the IdP.
>>
>> On 1/2/12 6:08 PM, Anand Somani wrote:
>> > So is response (for auth failure in case of ECP) within the spec or not?
>> > The reason I ask is if our customer wants to use another Idp, would our
>> > ECP code be different because it handles the credential validation
>> > differently so instead of a 401, it returns a proper SOAP with auth
>> denied.
>> >
>> > Thanks
>> >
>> >
>> >
>> > On Fri, Dec 30, 2011 at 3:56 PM, Chad La Joie <lajoie at itumi.biz
>>  > <mailto:lajoie at itumi.biz>> wrote:
>> >
>> >     That is the expected behavior currently.  Authentication occurs
>> >     outside the IdP so its the web server or servlet container giving
>> you
>> >     that error.
>> >
>> >     On Fri, Dec 30, 2011 at 18:35, Anand Somani <meatforums at gmail.com
>>  >     <mailto:meatforums at gmail.com>> wrote:
>> >     > Follow up question on the setup for ECP. Everything seems to work
>> as
>> >     > expected for a successful login, but for a bad password the client
>> >     gets a
>> >     > 401 and a html response body, I would have expected a SOAP
>> >     response/fault
>> >     > (from Idp) with a rejection/denied that I could pass to SP. Is
>> >     this not the
>> >     > correct expectation? Maybe my Idp setup is not complete, even
>> >     though it
>> >     > seems to work?
>> >     >
>> >     > Thanks
>> >     >
>> >     >
>> >     > On Wed, Dec 21, 2011 at 5:56 PM, Cantor, Scott <cantor.2 at osu.edu
>>  >     <mailto:cantor.2 at osu.edu>> wrote:
>> >     >>
>> >     >> For the sake of the list archive, the crash was in an old
>> >     log4shib version
>> >     >> that was fixed several years ago and has nothing to do with ECP
>> in
>> >     >> particular.
>> >     >>
>> >     >> -- Scott
>> >     >>
>> >     >> --
>> >     >> To unsubscribe from this list send an email to
>> >     >> users-unsubscribe at shibboleth.net
>>  >     <mailto:users-unsubscribe at shibboleth.net>
>> >     >
>> >     >
>> >     >
>> >     > --
>> >     > To unsubscribe from this list send an email to
>> >     > users-unsubscribe at shibboleth.net
>>  >     <mailto:users-unsubscribe at shibboleth.net>
>> >
>> >
>> >
>> >     --
>> >     Chad La Joie
>> >     www.itumi.biz <http://www.itumi.biz>
>> >     trusted identities, delivered
>> >     --
>> >     To unsubscribe from this list send an email to
>> >     users-unsubscribe at shibboleth.net
>>  >     <mailto:users-unsubscribe at shibboleth.net>
>>  >
>> >
>> >
>> >
>> > --
>> > To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>> --
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120103/1f9e9982/attachment.html

More information about the users mailing list