AW: AW: Programmatically get Assertion for 3rd party resources

Brent Putman putmanb at
Wed May 20 15:24:24 EDT 2015

On 5/20/15 10:17 AM, Kevin Flückiger wrote:
>> That merely replaces the Redirects and JavaScript-initated HTTP POST of Web Browser SSO profile with the ECP client doing the >work of sending protocol messages back and forth to the SP and IDP.
>> It doesn't change anything wrt who may get what assertion.
> Ok I understand. I saw that AWS doesn't support the ECP-Profile anyways, so back to the start.
> Would you say that my use case (login to my application protected by my own SP and then accessing resources protected by a SP out of my control, but trusted by my IdP) is not possible at all? 

When you describe it that way, that sounds like the canonical use case
for SAML delegation, described here:

That allows an intermediary SP to obtain a new Assertion that it can
use to access a backend SP with a delegated Assertion as the credential.

However, in your initial description it  sounded like the AWS consumer
wasn't exactly an SP implementing the Web Browser SSO Profile.  If it
wants you to obtain (somehow, in an unspecified way) an Assertion
targeted to it and then pass it in a proprietary API call, etc, to
establish a session or security context, then that's not really
something defined by an existing common SAML profile, as far as I know.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list