The ECP profile is a SOAP-based interaction with the IdP that supports non-browser application uses of SAML.
...
Assuming that's possible, you can modify the IdP's deployment descriptor to enable container-managed authentication for the ECP endpoint. The best way to do this is to copy web.xml from src/main/webapp/WEB-INF/web.xml into /opt/shibboleth-idp/conf/web.xml (or wherever your installation lives) and then modify it to include something like this:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<security-constraint> <display-name>Shibboleth IdP</display-name> <web-resource-collection> <web-resource-name>ECP</web-resource-name> <url-pattern>/profile/SAML2/SOAP/ECP</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>ShibUserPassAuth</realm-name> </login-config> <!-- Depending on the version of tomcat in use, you may also need this - a list of security roles referenced by this web application --> <security-role> <description>The role that is required to access the ECP area</description> <role-name>*</role-name> </security-role> |
...