The SAML 2.0 Enhanced Client or Proxy (ECP) profile is intended for use when accessing services over devices like simple phones, medical devices, and set-top boxes that lack the capabilities needed to use the more widely used SAML 2.0 Web Browser SSO profile.
The ECP knows which identity provider to contact for the user, and is able to use the reverse SOAP (PAOS) SAML 2.0 binding for the authentication request and response. The PAOS binding uses HTTP and SOAP headers to pass information about processing SOAP requests and responses, starting with a PAOS HTTP header that the ECP sends in its initial request to the server. The PAOS messages continue with a SOAP authentication request in the server's HTTP response to the ECP's request for a resource, followed by a SOAP response in an HTTP request from the ECP.
An enhanced client, such as a browser with a plugin or an extension, can handle these communications on its own. An enhanced proxy is an HTTP server such as a WAP gateway that can support the ECP profile on behalf of client applications.
OpenAM supports the SAML 2.0 ECP profile on the server side for identity providers and service providers. You must build the ECP.
By default an OpenAM identity provider uses the
com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper
class to find a user session for requests to the IDP from the ECP. The
default session mapper uses OpenAM cookies as it would for any other client
application. If for some reason you must change the mapping after writing
and installing your own session mapper, you can change the class under
Federation > Entity Providers > idp-name
> IDP > Advanced > ECP Configuration.
By default an OpenAM service provider uses the
com.sun.identity.saml2.plugins.ECPIDPFinder class to
return identity providers from the list under Federation > Entity
Providers > sp-name > SP > Advanced
> ECP Configuration > Request IDP List. You must populate the list
with identity provider entity IDs.
The endpoint for the ECP to contact on the OpenAM service provider is
/SPECP as in
http://www.sp.example:8080/openam/SPECP. The ECP provides
two query string parameters to identify the service provider and to specify
the URL of the resource to access.
metaAlias-
This specifies the service provider, by default
metaAlias=/, as described in MetaAlias.realm-name/sp RelayState-
This specifies the resource the client aims to access such as
RelayState=http%3A%2F%2Fforgerock.org%2Findex.html.
For example, the URL to access the service provider and finally
the resource at http://forgerock.org/index.html
could be
http://www.sp.example:8080/openam/SPECP?metaAlias=/sp&RelayState=http%3A%2F%2Fforgerock.org%2Findex.html.
