...
- Discussion continued from yesterday.
- ECP use cases:
- IMAP (Live@EDU example)
- also activesync for Outlook and portable devices
- Microsoft provides the ECP gateway, credentials go to MS, prefer to have ECP gateway at institution
- Google support for ECP; currently need to send password hashes; outreach from InCommon to Google?
- ECP PAM module
- command-line & thick-client apps
- smartphone campus apps (OSU work on this?)
- PESC registry of web services
- IMAP (Live@EDU example)
- ECP authentication options: HTTP Basic Auth, X.509, Kerberos
- DOE labs doing certificate-based authentication
- DOEGrids test IdP accepts grid certificates
- campus adoption of certificate-based authentication
- most campuses today do password-based
- concern: do clients support certs? most rich clients don't?
- consider OAuth as an authentication mechanism for ECP
- wide adoption of certificates in HPC/grid space
- DOE labs doing certificate-based authentication
- Shibboleth ECP configuration
- https://wiki.shibboleth.net/confluence/display/SHIB2/ECP
- https://wiki.shibboleth.net/confluence/display/SHIB2/IdP+ECP+Extension
- https://wiki.shibboleth.net/confluence/display/SHIB2/IdPSAML2ECPProfileConfig
- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionInitiator
- SP Example:
No Format <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie"> <SessionInitiator type="SAML2" ECP="true" /> <SessionInitiator type="SAMLDS" URL="https://parsley.phys.uwm.edu/LIGO_SAML_DiscoveryService" /> <SessionInitiator type="SAML2" template="bindingTemplate.html" ECP="true" /> </SessionInitiator>
- SP Example:
- What will the pushback be if we ask IdP administrators to enable ECP?
- Suggestion: setup test SP environment to help them test ECP
- IdP 2.3 support for ECP helps
- Any risk to enabling ECP in IdP? Make sure you enable HTTPS (encrypted channel).
- May not be ready to upgrade to IdP 2.3. (Note XSS vuln.)
- Attribute release for ECP
- How will consent work? uApprove is browser-based.
- Consent when you download the client?
- Example: command-line client from Debian distribution.
- Consent build-in to the client?
- Client configuration
- IdP & SP discovery information
- Downloadable configuration (from resource they want to access)
- Bundle in discovery and consent at this point
- Use browser as one-time on-boarding mechanism
- ECP discovery: SAML metadata?
- If SAML response is encrypted, how does ECP client handle it?
- Does ECP client need to modify the authentication response before sending it to SP?
- Ask Scott Koranda about this.
- How to coordinate work / discuss?
- Use shib-dev mailing list & Shibboleth wiki.
...