Setting up an IDP to perform HTTP Basic Authentication

Cantor, Scott cantor.2 at
Wed May 25 17:16:06 EDT 2016

On 5/25/16, 4:43 PM, "users on behalf of Eric Wedaa" <users-bounces at on behalf of Eric.Wedaa at> wrote:

>Yay!  So it should work.  The vendor is now asking me for the URL they should be sending
>requests to.  Does that make sense in this context?  And if so, what would it be normally?

The only appropriate case here is ECP because a non-browser client has no business using any other endpoint. That endpoint is /idp/profile/SAML2/SOAP/ECP.

If you're going to tolerate screen scraping, good luck with that, but that's just using the same SAML SingleSignOnService endpoints you use for any other SPs.

I think it's very likely that unless this is about ECP that something very wrong is happening and the outcome here will not be good. Possibly not even secure.

-- Scott

More information about the users mailing list