Enable the Enhanced Client or Proxy Profile

Federation Guides › Partnership Federation Guide › Single Sign-on Configuration › Enhanced Client or Proxy Profile Overview (SAML 2.0)

Enhanced Client or Proxy Profile Overview (SAML 2.0)

The Enhanced Client or Proxy Profile (ECP) is an application for single sign-on. An enhanced client is a browser or some other user agent that supports the ECP functionality. An enhanced proxy is an HTTP proxy, such as a Wireless Access Protocol proxy for a wireless device.

The ECP profile enables single sign-on when the Identity Provider and Service Provider cannot communicate directly. The ECP acts as the intermediary between the Service Provider and the Identity Provider.

In addition to acting as an intermediary, the ECP profile is useful in the following situations:

For a Service Provider that expects to service enhanced clients or proxies that require this profile.
When a proxy server is in use, such as a wireless access protocol (WAP) gateway in front of a mobile device with limited functionality.

You are responsible for obtaining or developing an ECP application. CA SiteMinder® only processes the ECP requests and only responds to the ECP application in keeping with the SAML requirements.

The flow of the ECP profile is shown in the following illustration.

Graphic showing the flow of the Enhanced Client and Proxy Profile between the Identity Provider and Service Provider

In an ECP communication, a user requests access to an application, for example, from a mobile phone. The application resides at the Service Provider and the identity information for the user resides at the Identity Provider. The Service Provider and Identity Provider do not communicate directly.

The flow of the call is as follows:

The ECP application forwards a reverse SOAP (PAOS) request to the Service Provider. The Identity Provider is not directly accessible by the Service Provider.
The ECP entity is always directory accessible, unlike the Identity Provider.
The Service Provider sends an AuthnRequest back to the ECP application.
The ECP application processes and modifies the AuthnRequest and sends it on to the Identity Provider.
The Identity Provider processes the request and returns a SOAP response to the ECP application. This response includes the assertion.
The ECP application passes a signed PAOS response back to the Service Provider.

Single sign-on proceeds and the user gains access to the application.

Configure ECP at the Identity Provider

To configure ECP, enable the feature at the Identity Provider and the Service Provider. The following procedure is for a CA SiteMinder® Identity Provider.

Follow these steps:

Log in to the Administrative UI.
Select the local Identity Provider partnership that you want to modify.
Navigate to the SSO and SLO step in the partnership wizard.
In the SSO section, select the Enable Enhanced Client or Proxy Profile check box.
Navigate to the Confirm step and click Finish to save changes.

The Identity Provider can now process ECP calls.

Note: A single Service Provider object can handle artifact, POST, SOAP, and PAOS bindings for single sign-on requests. SOAP and PAOS are the bindings for the ECP profile. The Identity Provider and Service Provider determine the binding being used based on the parameters in a request.

Configure ECP at the Service Provider

To configure ECP, you must enable the feature at the Identity Provider and the Service Provider. The following procedure is for a Service Provider.

Follow these steps:

Direct the requests for a protected resource to the AuthnRequest service at the Service Provider. The following URL shows an example:
https://host:port/affwebservices/public/saml2authnrequest
Log in to the Administrative UI.
Modify the relevant local Service Provider partnership.
Navigate to the SSO and SLO step in the partnership wizard.
In the SSO section, select the Enable Enhanced Client or Proxy Profile check box.
Navigate to the Confirm step and click Finish to save the change.

The Service Provider can now process ECP calls.