The ECP profile is a SOAP-based interaction with the IdP that supports non-browser application uses of SAML.
...
Assuming that's possible, you can modify the IdP's deployment descriptor to enable container-managed authentication for the ECP endpoint. The best way to do this is to copy web.xml from src/main/webapp/WEB-INF/web.xml into /opt/shibboleth-idp/conf/web.xml (or wherever your installation lives) and then modify it to include something like this:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<security-constraint>
<display-name>Shibboleth IdP</display-name>
<web-resource-collection>
<web-resource-name>ECP</web-resource-name>
<url-pattern>/profile/SAML2/SOAP/ECP</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ShibUserPassAuth</realm-name>
</login-config>
<!-- Depending on the version of tomcat in use, you may also need this - a list of security roles referenced by this web application -->
<security-role>
<description>The role that is required to access the ECP area</description>
<role-name>*</role-name>
</security-role> |
...