The ECP profile is a SOAP-based interaction with the IdP that supports non-browser application uses of SAML.
If your IdP relies on the Password login flow, the system automatically supports ECP via HTTP Basic authentication headers as long as the client provides the WWW-Authenticate header itself without being challenged. There's nothing you need to set up.
If your IdP uses supports the RemoteUser with Basic Authentication login flow via HTTP Basic authentication (not terribly likely, but possible), then you can extend the protection of your authentication setup to include the path to the ECP handler, which is at /idp/profile/SAML2/SOAP/ECP.
If not, then you will have to add additional configuration to your web server, Java container, etc. to protect this path. The most common mechanism for this will be HTTP Basic Authenticationauthentication, and most ECP clients would typically support that. Using client certificates is certainly a possibility as well, but you would likely need control over the client to ensure support for that.
...