Skip to content

Enhanced Client Proxy Profile Using PAOS Binding

Onegini IdP supports Enhanced Client Proxy Profile Using PAOS Binding. Following graph presents the example flow (for more information please read the documentation).

Info

The SAML ECP implementation in Onegini IdP has some limitations. Currently, we do not support Channel Bindings and Holder of Key.

sequenceDiagram participant ecp as Enhanced Client Proxy participant sp as Service Provider participant idp as Identity Provider ecp->>sp: Access resource sp->>sp: Check principal privileges alt Principal not authenticated sp->>ecp: <AuthnRequest> in PAOS request ecp->>idp: <AuthnRequest> in SOAP request with basic auth header alt Credentials valid idp->>ecp: Signed success <Response> in SOAP response ecp->>sp: Signed <Response> in PAOS response sp->>ecp: Provide resource else Credentials invalid idp->>ecp: Signed error <Response> in SOAP response end end

Authentication

Onegini IdP supports only authentication via basic authorization header so ECP client should attach principal credentials in request header, eg.

Authorization: Basic bG9naW46cGFzc3dvcmQ=

Onegini IdP SAML response on successful authentication

After successful authentication Onegini IdP returns saml:Response with Success status code, eg.

<?xml version="1.0" encoding="UTF-8"?>
<soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
   <soap11:Header>
      <ecp:Response 
        xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" 
        AssertionConsumerServiceURL="http://service-provider/saml/SSO" 
        soap11:actor="http://schemas.xmlsoap.org/soap/actor/next" 
        soap11:mustUnderstand="1" />
   </soap11:Header>
   <soap11:Body>
      <saml2p:Response>...</saml2p:Response>
   </soap11:Body>
</soap11:Envelope>

Onegini IdP SAML response on failed authentication

After failed authentication Onegini IdP returns saml:Response with Error status code, eg.

<?xml version="1.0" encoding="UTF-8"?>
<soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
   <soap11:Header>
      <ecp:Response 
        xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" 
        AssertionConsumerServiceURL="http://service-provider/saml/SSO" 
        soap11:actor="http://schemas.xmlsoap.org/soap/actor/next" 
        soap11:mustUnderstand="1" />
   </soap11:Header>
   <soap11:Body>
      <saml2p:Response>
         <saml2p:Status>
            <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
               <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" />
            </saml2p:StatusCode>
            <saml2p:StatusMessage>...</saml2p:StatusMessage>
         </saml2p:Status>
      </saml2p:Response>
   </soap11:Body>
</soap11:Envelope>