Federation Security Services GuideAuthenticate SAML 2.0 Users at the Service ProviderConfigure Single Sign-on at the SP › Enable the Enhanced Client or Proxy Profile

Previous Topic: Include an Allow/Create Attribute in Authentication Requests

Next Topic: Enable Single Logout

Enable the Enhanced Client or Proxy Profile

The Enhanced Client or Proxy Profile (ECP) is an application of the single sign-on profile. An ECP is a system entity that knows how to contact an Identity Provider and supports the Reverse SOAP binding, PAOS for the purpose of providing single sign-on for a user.

An enhanced client may be a browser or some other user agent that supports the ECP functionality. An enhanced proxy is an HTTP proxy, such as a Wireless Access Protocol proxy for a wireless device.

The ECP profile allows the Service Provider to make an authentication request without knowing the Identity Provider, and PAOS lets the Service Provider obtain the assertion through the ECP, which is always directly accessible, unlike the Identity Provider. The ECP acts as the intermediary between the Service Provider and the Identity Provider.

You might want to enable the ECP profile with single sign-on in the following situations:

The flow of the ECP profile is shown in the following illustration.

To enable the ECP profile

  1. Make sure the ECP request is directed to the AuthnRequest service. The following URL shows an example: 
    https://host:port/affwebservices/public/saml2authnrequest=
  2. Make sure that the headers in the ECP request include attributes required by the SAML 2.0 specification, such as the following: 
    Accept: text/html; application/vnd.paos+xml
PAOS: ver='urn:liberty:paos:2003-08' ; 
'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp'
  3. Use the FSS Administrative UI to fill out the required single sign-on fields on the SSO tab.
  4. Select the Enhanced Client and Proxy Profile check box.
  5. Click OK.

Copyright © 2010 CA. All rights reserved. Email CA about this topic