Enable the Enhanced Client or Proxy Profile

Federation Security Services Guide › Configure SiteMinder as a SAML 2.0 Identity Provider › Configure Single Sign-on for SAML 2.0 › Enhanced Client or Proxy Profile Overview (SAML 2.0)

Enhanced Client or Proxy Profile Overview (SAML 2.0)

The Enhanced Client or Proxy Profile (ECP) is an application for single sign-on. An enhanced client is a browser or some other user agent that supports the ECP functionality. An enhanced proxy is an HTTP proxy, such as a Wireless Access Protocol proxy for a wireless device.

The ECP profile enables single sign-on when the Identity Provider and Service Provider cannot communicate directly. The ECP acts as the intermediary between the Service Provider and the Identity Provider.

In addition to acting as an intermediary, the ECP profile is useful in the following situations:

For a Service Provider that expects to service enhanced clients or proxies that require this profile.
When a proxy server is in use, such as a wireless access protocol (WAP) gateway in front of a mobile device with limited functionality.

You are responsible for obtaining or developing an ECP application. SiteMinder only processes the ECP requests and only responds to the ECP application in keeping with the SAML requirements.

The flow of the ECP profile is shown in the following illustration.

Graphic showing the flow of the Enhanced Client and Proxy Profile between the Identity Provider and Service Provider

In an ECP communication, a user requests access to an application, for example, from a mobile phone. The application resides at the Service Provider and the identity information for the user resides at the Identity Provider. The Service Provider and Identity Provider do not communicate directly.

The flow of the call is as follows:

The ECP application forwards a reverse SOAP (PAOS) request to the Service Provider. The Identity Provider is not directly accessible by the Service Provider.
The ECP entity is always directory accessible, unlike the Identity Provider.
The Service Provider sends an AuthnRequest back to the ECP application.
The ECP application processes and modifies the AuthnRequest and sends it on to the Identity Provider.
The Identity Provider processes the request and returns a SOAP response to the ECP application. This response includes the assertion.
The ECP application passes a signed PAOS response back to the Service Provider.

Single sign-on proceeds and the user gains access to the application.