Previous Topic: Single Logout Overview (SAML 2.0)Next Topic: IDP Discovery Profile (SAML 2.0)

Federation GuidesPartnership Federation GuidePartnership Creation and ActivationEnhanced Client or Proxy Profile (ECP)

Enhanced Client or Proxy Profile (ECP)

The Enhanced Client or Proxy Profile (ECP) is an application of the SAML 2.0 single sign-on profile. An enhanced client can be a browser or some other user agent that supports the ECP functionality. An enhanced proxy is an HTTP proxy, such as a Wireless Access Protocol proxy for a wireless device.

An enhanced client or proxy is a system entity that knows how to contact an Identity Provider and supports the Reverse SOAP binding, PAOS. The ECP acts as the intermediary between the Service Provider and the Identity Provider.

The ECP profile allows the Service Provider to make an authentication request without knowing the Identity Provider. PAOS lets the relying party obtain the assertion through the ECP, which is always directly accessible.

You can enable the ECP profile with single sign-on in the following situations:

The flow of the ECP profile is shown in the following figure:

The grapic shows the enhanced client and proxy profile flow

To enable the ECP profile

  1. Verify that ECP request is directed to the AuthnRequest service at the Service Provider. The following URL shows an example:

    https://host:port/affwebservices/public/saml2authnrequest

  2. Verify that the headers in the ECP request include attributes that the SAML 2.0 specification requires. The following attributes are examples:

    Accept: text/html; application/vnd.paos+xml

    PAOS: ver='urn:liberty:paos:2003-08';

    'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp'

  3. Use the user interface to configure single sign-on.
  4. Select the Enable Enhanced Client and Proxy Profile check box as part of the single sign-on configuration.