Enhanced Client Proxy Profile Using PAOS Binding
Onegini IDP supports Enhanced Client Proxy Profile Using PAOS Binding. Following graph presents the example flow (for more information please read the documentation).
SAML ECP implamentation in Onegini IDP has some limitations. Currently we do not support
Channel Bindings
andHolder of Key
.
title Enhanced Client Proxy Profile Using PAOS Binding participant Enhanced Client Proxy as ecp participant Service Provider as sp participant Identity Provider as idp ecp->sp: Access resource sp->sp: Check principal privileges alt Principal not authenticated sp->ecp:in PAOS request ecp->idp: in SOAP request with basic authorization header alt Credentials valid idp->ecp: Signed success in SOAP response ecp->sp: Signed in PAOS response sp->ecp: Provide resource else Credentials invalid idp->ecp: Signed error in SOAP response end end
Authentication
Onegini IDP supports only authentication via basic authorization header so ECP client should attach principal credentials in request header, eg.
Authorization: Basic bG9naW46cGFzc3dvcmQ=
Onegini IDP SAML response on successful authentication
After successful authentication Onegini IDP returns saml:Response
with Success
status code, eg.
<?xml version="1.0" encoding="UTF-8"?>
<soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
<soap11:Header>
<ecp:Response
xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
AssertionConsumerServiceURL="http://service-provider/saml/SSO"
soap11:actor="http://schemas.xmlsoap.org/soap/actor/next"
soap11:mustUnderstand="1" />
</soap11:Header>
<soap11:Body>
<saml2p:Response>...</saml2p:Response>
</soap11:Body>
</soap11:Envelope>
Onegini IDP SAML response on failed authentication
After failed authentication Onegini IDP returns saml:Response
with Error
status code, eg.
<?xml version="1.0" encoding="UTF-8"?>
<soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
<soap11:Header>
<ecp:Response
xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
AssertionConsumerServiceURL="http://service-provider/saml/SSO"
soap11:actor="http://schemas.xmlsoap.org/soap/actor/next"
soap11:mustUnderstand="1" />
</soap11:Header>
<soap11:Body>
<saml2p:Response ...>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" />
</saml2p:StatusCode>
</saml2p:Status>
</saml2p:Response>
</soap11:Body>
</soap11:Envelope>