Enhanced Client and Proxy

The Enhanced Client and Proxy (ECP) profile assumes the client can contact an appropriate provider using the reverse SOAP (PAOS) binding. The ECP process flow is as follows:

1. The principal, through the ECP, makes an HTTP request for a secured resource at a service provider, which does not have an established security context for the ECP or principal.

2. The service provider issues an authentication request to the ECP using PAOS binding.

3. The ECP obtains the location of an endpoint at an identity provider for the authentication request protocol that supports its binding.

4. The ECP conveys the authentication request to the identity provider.

5. The identity provider identifies the principal.

6. The identity provider issues a response to the ECP that is to be delivered to the service provider.

7. The ECP conveys a response message to the service provider.

8. The service provider grants or denies access to the principal.

See the following procedures for configuration information.

• To Configure for ECP on the Identity Provider Side

• To Configure for ECP on the Service Provider Side (Optional)

After completing the configuration, use the following URL format to access a resource on the service provider.

SP protocol://SP host:SP port/SP deploy URI/SPECP?metaAlias=sp metaAlias&RelayState=resource url

To Configure for ECP on the Identity Provider Side

1. Click the Federation tab and select the hosted SAMLv2 identity provider you wish to edit.

2. Click on the IDP tab.

3. Click the Advanced tab.

4. Edit the IDP Session Mapper attribute for you deployment.

   The session mapper SPI com.sun.identity.saml2.plugins.IDPECPSessionMapper finds a valid session from the HTTP servlet request on the identity provider side with the ECP profile. The default implementation will construct a session object from the OpenSSO Enterprise server cookie. To construct a session from other cookies or HTTP headers, you need to implement this SPI and set your implementation here.

5. Click Save.

To Configure for ECP on the Service Provider Side (Optional)

1. Click the Federation tab and select the hosted SAMLv2 identity provider you wish to edit.

2. Click on the SP tab.

3. Click the Advanced tab.

4. Click ECP Configuration.

5. Edit Request IDP List Finder Implementation the IDP Finder SPI.

   com.sun.identity.saml2.plugins.SAML2IDPFinder finds a list of preferred identity providers. You can write your own implementation of this interface and set it here. The default implementation will read Request IDP List attribute. Request IDP List Get Complete Specifies an URI reference that can be used to retrieve the complete IDP list if the IDPList element is not complete. Request IDP List Defines a list of IDPs for the ECP to contact. This is used by the default implementation of the IDP Finder.

6. Click Save.