Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

SAML ECP Live

(Matthew Economou)

Matthew: The use case does the login through the browser, in which case you are not using ECP. There are apps I support and services that the scientists need to use. I am looking for ways to give access to people without a web service being involved? One of the other ways is ECP.

Scott: What ECP is? It’s a SAML profile with the intention of creating an enhanced client, much more than a web browser. It is up to this smart client to do the whole management. It first goes to the service provider with a special string in its header and requires to be treated “differently”. The service provider will then give it SAML and the client will after remember some details about it and go to the IDp. It needs some way of authenticating on the IdP side (logging and pass) and the client gives the blob of SAML to the idp finally. The client picks up then the verified saml and send it back to the service provider. The last one that trust the assertion and sends back the details the client needs in order to reach the final needed page.

David: both idp and sp need this protocol extension?

Scott: Yes. It also has to go through the XML, remember sessions. Turns out they can be built very easily in the bash level in Linux. At LIGO we have a tool called ligo/proxy init implemented with it.

Peter Schober: the point is not to deal with html but other options

Scott: one of the obligations of the client is to make sure that what comes back from the idp is indeed intended for the sp

Live demo of ECP is ongoing on the screen.

Scott: Curl is used because it can talk to the web. Most of the script is getting the right curl command and getting a proper manipulation of the XML .

Writing the bash script is really not complicated.

Matthew: on the IdP side, can you go into details on how you intercept that authentication?

There are no special configurations needed on the IdP side really. As long as the authentication goes by correctly.

Martin: this is not a solution if i have a customer that wants 2 factor authentication?

Peter s: it is not unthinkable but it has its limitations. It should be working out of the box, including certificate authorization.

Matthew: one of our users is uploading reports in the sharepoint and they log into SaToSa via back end IdP. They use selenium. Can i use ecp to give them another way to authenticate better?

Scott: not without a lot of work because your architecture has a SAML proxy in the middle.

Peter Schober: for the browser it doesn’t matter how many proxies you have but for ECP each proxy it has to be aware of it Also, the ecp client receives your pass literally and hands it over. It might be not trusted enough, as the web browser is. Sometimes you want the IdP to have your password more directly.

Matthew: we treat our research projects being integrated into IT services as virtual organizations. What want they to be able to do, my clients, a federated log on like they would in the web browser and get temporary credentials that way. Not sure how to make that happen

Tim: not sure if the standard privileged account management tools deal with this

Scott: Ligo sees this now differently, not only relying on ECP, contrary to the primary idea. The command line has a web browser next to it and the web browser cannot be fully avoided because of the URL being sent out and then tokens will be generated from the web browser.

RFC 8252 - authorization requests from native apps should only be made through external user-agents, primarily the user’s browser https://tools.ietf.org/html/rfc8252