[ECP] non-GET initial requests via the ECP

Cantor, Scott cantor.2 at osu.edu
Wed May 14 18:00:23 EDT 2014

On 5/14/14, 5:54 PM, "Marek Denis" <marek.denis at gmail.com> wrote:
>Putting your both answers together I am guessing the ECP client must
>somehow guess whether it's authenticated and only after it is, it can
>send some data via calls like POST/PUT HTTP methods, right? Can I
>initially start with a POST HTTP and in case I am not authenticated I
>will get SOAP SAML2 authn request?

The client knows whether it's been authenticated, it will get back a PAOS
message with a well-defined content type that can't mean anything else. If
that comes back, then the original request has to be resubmitted once
authentication is done and a session is in place.

All of that should be easily hidden inside an HTTP library or a wrapper
around one. If you can't buffer the data, then the library should signal
that somehow, because the same problem would exist with HTTP
authentication (you'd get a 401 challenge and the original request would
have been lost).

-- Scott

More information about the users mailing list