ECP Compatibility
44 views
Skip to first unread message
dasubipar
Jul 11, 2018, 4:38:03 AM7/11/18
to SimpleSAMLphp
What are you trying to do?
I
am trying to configure my test environment to be compatible with ECP and
make a comparison of the performance of this profile against the web
browser sso.
What have you done?
Actual state:
- IdP simpleSAMLphp upgraded to 1.16.0-rc1 and ECP profile enabled ( 'saml20.ecp' => true,)
- SP simpleSAMLphp upgraded to 1.16.0-rc1
Is there anything you don't understand?
After
reading the ECP documentation (https://simplesamlphp.org/docs/development/simplesamlphp-ecp-idp) I think that the ECP profile is not
compatible with SP simpleSAMLphp because it does not offer PAOS binding. I'm right? If yes,
will it be added in the future to simpleSAMLphp?
Any suggestions to deploy a light SP compatible with ECP in an ARM and be able to compare the performance of the two profiles mentioned above?
will it be added in the future to simpleSAMLphp?
Any suggestions to deploy a light SP compatible with ECP in an ARM and be able to compare the performance of the two profiles mentioned above?
Cheers,
David.
Thijs Kinkhorst
Jul 11, 2018, 5:03:35 AM7/11/18
to simple...@googlegroups.com
Hi David,
Op 11-07-18 om 10:38 schreef dasubipar:
in the documentation you reference.
If you're looking for SP role support, the answer is that it will be
added in the future when someone that has a need for it implements it.
Perhaps you can contribute a pull request to make it possible.
Cheers,
Thijs
Op 11-07-18 om 10:38 schreef dasubipar:
> After reading the ECP documentation
> (https://simplesamlphp.org/docs/development/simplesamlphp-ecp-idp) I
> think that the ECP profile is not compatible with SP simpleSAMLphp
> because it does not offer PAOS binding. I'm right? If yes,
> will it be added in the future to simpleSAMLphp?
SSP 1.16 will only support ECP in an IdP role, as is clearly described
> (https://simplesamlphp.org/docs/development/simplesamlphp-ecp-idp) I
> think that the ECP profile is not compatible with SP simpleSAMLphp
> because it does not offer PAOS binding. I'm right? If yes,
> will it be added in the future to simpleSAMLphp?
in the documentation you reference.
If you're looking for SP role support, the answer is that it will be
added in the future when someone that has a need for it implements it.
Perhaps you can contribute a pull request to make it possible.
Cheers,
Thijs
Peter Schober
Jul 11, 2018, 5:08:28 AM7/11/18
to SimpleSAMLphp
* dasubipar <dasu...@gmail.com> [2018-07-11 10:38]:
An SSO flow contains TCP connections, TLS connections, xmldsig signing
and xmlenc encryption operations, and usually will also include
waiting for input from the subject: entering their credentials,
re-entering them if mistyped, possibly entering a second factor for
which they have to grab their mobile device and wait for some message
or generate some code, or reach for and insert that yubikey,
consenting to attribute release, and so on, so it seems to me the
performance of the protocol binding (SOAP or not) is completely
irrelevant in real life.
(You can measure anything, of course. It just may not mean much.)
And you want to test the performance of something you think isn't even
implemented in SimpleSAMLphp?
I don't know the status of ECP support in SimpleSAMLphp, but this all
sounds very weird...
-peter
> I am trying to configure my test environment to be compatible with
> ECP and make a comparison of the performance of this profile against
> the web browser sso.
*Performance* differences of SAML SSO profiles? Seriously?!
> ECP and make a comparison of the performance of this profile against
> the web browser sso.
An SSO flow contains TCP connections, TLS connections, xmldsig signing
and xmlenc encryption operations, and usually will also include
waiting for input from the subject: entering their credentials,
re-entering them if mistyped, possibly entering a second factor for
which they have to grab their mobile device and wait for some message
or generate some code, or reach for and insert that yubikey,
consenting to attribute release, and so on, so it seems to me the
performance of the protocol binding (SOAP or not) is completely
irrelevant in real life.
(You can measure anything, of course. It just may not mean much.)
And you want to test the performance of something you think isn't even
implemented in SimpleSAMLphp?
I don't know the status of ECP support in SimpleSAMLphp, but this all
sounds very weird...
-peter
David Subires
Jul 11, 2018, 3:50:58 PM7/11/18
to SimpleSAMLphp
Hi Thijs,
El miércoles, 11 de julio de 2018, 6:03:35 (UTC-3), Thijs Kinkhorst escribió:
El miércoles, 11 de julio de 2018, 6:03:35 (UTC-3), Thijs Kinkhorst escribió:
Hi David,
SSP 1.16 will only support ECP in an IdP role, as is clearly described
in the documentation you reference.
Thanks for your answer. I imagined that but I wanted the opinion of someone with more experience than me in this environment.
If you're looking for SP role support, the answer is that it will be
added in the future when someone that has a need for it implements it.
Perhaps you can contribute a pull request to make it possible.
Cheers,
Thijs
It really is a good idea and an interesting challenge.
A greeting.
David Subires
Jul 11, 2018, 4:22:46 PM7/11/18
to SimpleSAMLphp
Hello Peter, where do you buy the coffee? It seems very energetic, I would like to try it.
The truth is that I do not have much experience with SAML or SSP, so I decided to ask here.
But it is also true that in the real use case of my test environment, the 'users' that consume the services are devices ARM using a special authSource without second factor or yubikey, so that process does not generate much delay.
Also, this environment has reduced bandwidth and devices with limited resources, so it may be interesting for me to compare different bindings and profiles, since that will result in the JAVA client application that is deployed on the devices needs more or less libraries, do more or less redirections and consume more or less CPU.
A greeting.
The truth is that I do not have much experience with SAML or SSP, so I decided to ask here.
But it is also true that in the real use case of my test environment, the 'users' that consume the services are devices ARM using a special authSource without second factor or yubikey, so that process does not generate much delay.
Also, this environment has reduced bandwidth and devices with limited resources, so it may be interesting for me to compare different bindings and profiles, since that will result in the JAVA client application that is deployed on the devices needs more or less libraries, do more or less redirections and consume more or less CPU.
A greeting.
Reply all
Reply to author
Forward
0 new messages