[wsf-dev] ECP test harness

[Scott Cantor]

> Are you saying ECP enabled IdP is infeasible untils those prerequisites
> are met?

I was saying that it's non-interoperable. Since you seemed surprised by
that, I actually looked at the conformance doc, and I have to assume you're
referring to section 3.5.

To be honest, that section originally never had anything to do with ECP, so
that would probably explain why I never noticed the possible connection
before. It makes sense, and the candidate approaches are the likely ones,
but that was really about server-side communication and I just never noticed
the language was so broad before.

(This is good. If I'm going to be wrong, and the spec is going to be
somewhat misinterpereted, this is a nice spot for it.)

> I beg to disagree: all SAML 2.0 certified IdPs already have the
> support. The authentication part is unspecified by SAML 2.0, but
> certainly straight forward doable.

Unless it's using section 3.5 (which I can see would be the logical choice,
notwithstanding that isn't what it originally meant), I have no idea what's
being used to certify them.

We haven't implemented anything because we haven't developed the use cases
such that we know what the appropriate mechanisms would be. We're not aiming
at conformance, but usability. TLS is a non-starter. Basic-auth is probably
somewhat workable given that it's a fat client (to address phishing), and
you can tunnel multi-factor inside that.

That's about as far as the thought process went, and given that no clients
of any consequence existed, it just hasn't been important to us in the past.

-- Scott