ECP and session cookies

Cantor, Scott cantor.2 at
Tue Feb 13 18:57:47 EST 2018

> Is it possible to leverage the single sign-on session properties of browser
> with the IdP's ECP endpoint?

There's no browser, but in the sense that you mean it, the IdP doesn't treat ECP any differently. The IdP will issue cookies and honor them, and it will just work. It even knows to skip the local storage load/save steps because it detects that the profile is non-browser.

> We're caching the shib_idp_session_ss cookie
> then passing it back to the IdP with a subsequent ECP request in hopes that it
> would use it instead of looking for REMOTE_USER the second time around.

The client must handle all cookies issued in compliance with HTTP, and that isn't the only one, or even the main one.

> So, is there any way to get the ECP flow to honor a session cookie from a
> previous login?

It will. I have no evidence of it because I have no clients that handle cookies, but I also have no reason to believe it doesn't work and it's essentially not really possible for it not to since that code doesn't care what the particulars are.

-- Scott

More information about the users mailing list