Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The ECP profile is a SOAP-based interaction with the IdP that supports non-browser application uses of SAML.

...

Assuming that's possible, you can modify the IdP's deployment descriptor to enable container-managed authentication for the ECP endpoint. The best way to do this is to copy web.xml from src/main/webapp/WEB-INF/web.xml into /opt/shibboleth-idp/conf/web.xml (or wherever your installation lives) and then modify it to include something like this:

Code Block
xml
xml
titleExcerpt from an extended web.xmlxml
    <security-constraint>
        <display-name>Shibboleth IdP</display-name>
        <web-resource-collection>
            <web-resource-name>ECP</web-resource-name>
            <url-pattern>/profile/SAML2/SOAP/ECP</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>ShibUserPassAuth</realm-name>
    </login-config>

  <!-- Depending on the version of tomcat in use, you may also need this - a list of security roles referenced by this web application -->

  <security-role>
      <description>The role that is required to access the ECP area</description>
      <role-name>*</role-name>
  </security-role>

...