Enhanced Client or Proxy Profile Version 2.0, can Azure AD be used as the IdP?
Paul B Hill
pbh at mit.edu
Tue Apr 26 15:29:34 UTC 2022
Thank you to Scott and the list. The list provided an accurate response faster than I was able to obtain a response from Microsoft.
Today I received a confirmation from Microsoft that they do not currently support the Enhanced Client or Proxy Profile Version 2.0 when Azure AD is used as the IdP. I was referred to using OIDC for the use case in question.
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott via users
Sent: Tuesday, April 19, 2022 12:45 PM
To: Wessel, Keith <kwessel at illinois.edu>; Shib Users <users at shibboleth.net>
Cc: cantor.2 at osu.edu
Subject: Re: Enhanced Client or Proxy Profile Version 2.0, can Azure AD be used as the IdP?
On 4/19/22, 12:40 PM, "Wessel, Keith" <kwessel at illinois.edu> wrote:
> Amazingly, Okta claims they do. Can't say if it actually works.
Having no evidence I will refrain from expressing an opinion. When I call out a vendor, it's factual.
> I, too, would be very surprised if Azure AD supported ECP, though.
> They've mostly adopted OIDC and "sign into work or school" flows for getting the credentials in place to support non-browser interactions.
When you have a browser to hand, I would say web -> nonweb cookie is clearly the best approach at this point.
For other use cases, I would imagine that getting the resource owner password grant implemented would be a good idea. I considered it while I was working on the client credentials grant but it's quite a bit different in a number of ways with regard to how we'd implement it.
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users