i setup my Shibboleth IdP with my SP and works well for form-based authentication.
I also need to allow programmatic api clients to be authenticated using same idp.
how can I do this? clearly the client making api calls to secured resources in the
sp cannot respond to form-based login.
Basically a API query toa secured resoure on the SP shouldbe authenticated using basic auth
mechanism with the idp.
On 3/9/11 8:09 PM, "Kobe" <[hidden email]> wrote:
>I also need to allow programmatic api clients to be authenticated using
The appropriate profile for this is called ECP and is not the same as what
is used for a browser. I answered the same question this morning. I'll try
and write up a page since this is coming up constantly all of the sudden,
for some reason. You can find the IdP extension for ECP on the
contributions page and the specification itself at OASIS.
thank you for your help. ECP profile needs soap binding - my web services are
REST based. Do I need to implement a proxy client that will implement this profile
based on SOAP on bahalf of my REST clients.
Is there a open source implementation of a basic ECP proxy client for doing basic auth?
So that I can implement my own client based on it?
> thank you for your help. ECP profile needs soap binding - my web services
> are REST based. Do I need to implement a proxy client that will implement this
> profile based on SOAP on bahalf of my REST clients.
Only the parts that involve the authentication step involve SOAP. It is agnostic about the actual resources.
> Is there a open source implementation of a basic ECP proxy client for doing
> basic auth?
There are Java libraries around that do a superset of the basic ECP work to support delegation flows hosted on web sites. They do more than what is needed for a basic client.
On 3/10/11 2:21 PM, "Kobe" <[hidden email]> wrote:
>Can you point me to these Java libraries that can used as a starter for
>implementing an ECP?
If I had the links handy, I would. One of them was done by Unicon and was
linked from the Shib-uPortal wiki space at one point, and the other was
being done in Europe I believe. When I get around to writing up a page, I
will probably try and track them down. You should be able to find some
mention of the latter one in the list archive.
>I searched and found a reference in openliberty site - but I am not sure
>they provide an implementation.
It's my clone of the Spring Security Extensions project that support
the basic ECP profile. I've heard from the Spring devs and they are
interested in merging my changes. I have no idea when this is going to
I looked at your earlier post on this forum and Spring forums. I thought that your
implementation was still underway.
Could you pl describe how this can be deployed with an ECP-capable SP and IDP?
My understanding is that if I have a web service that is supplies basic auth headers,
then I can deploy it behind this client as follows:
<IdP> <------> (ECP client) <--------> <SP> |
web service client
> I looked at your earlier post on this forum and Spring forums. I thought
> that your
> implementation was still underway.
Yeah that it might have been confusing. I've just updated my post to
reflect the latest development.
> Could you pl describe how this can be deployed with an
> ECP-capable SP and IDP?
Wow, I was really lost yesterday when I jumped into this discussion
and modified the wiki. I've pointed to my SP implementation. Not my
client implementation. I'm sorry about the confusion I generated...
I do have a Java ECP client, but it's using OpenSAML (nothing do do
with Spring) and it's hosted in the code repo of some other project on
which I'm working on. As I'm thinking about it, I don't think I should
put it on the wiki page because it's a bit too specific. However, I'm
still going to explain how to use it because it could be useful to
anyone wanting to write an ECP client.
your implementation is a very good starter - you have saved me a bunch of hassles.
Jonathan Tellier wrote
I do have a Java ECP client, but it's using OpenSAML
The client takes care of step 1 to 6 of the spec , so from there,
you can send the token to the SP in order to authenticate and access
the protected resource.
So this client is not a "complete" client per se (because it does not
take care of the entire flow), but it should help you writing one that
will suit your needs.
I have two questions -
a) how can I figure out the IdP ECP URL to which I shud send the AuthnRequest received from SP.
i would like to do in an idp-agnostic way. I could not locate an example of an idp metadata with
ECP profile. could you suggest how this can be solved? do you have a sample Idp metadata
b) I am tryig to extend your code to do step (7) - I am trying to convert the assertion received fromt
IdP to the SP to obtain the SP-specific token. I am not sure which URL on SP I shud send this to.
Can you pl explain? Can this SP URL to which the IdP assertion needs to be sent be inferred from SP
> I have two questions -
> a) how can I figure out the IdP ECP URL to which I shud send the
> AuthnRequest received from SP.
> i would like to do in an idp-agnostic way. I could not locate an
> example of an idp metadata with
> ECP profile. could you suggest how this can be solved? do you have a
> sample Idp metadata with ECPprofile?
The SingleSignOnService for ECP has a Binding with the SAML 2.0 SOAP binding URI in it, that's all.
> b) I am tryig to extend your code to do step (7) - I am trying to convert
> the assertion received fromt
> IdP to the SP to obtain the SP-specific token. I am not sure which URL
> on SP I shud send this to.
If you mean where you send the *response* from the IdP, that's in the two SOAP headers you have to cross check to make sure they match.