This profile configuration enables and configures the SAML 2 ECP profile. This feature is available in V2.3.0 and later.
This is part of, but not the entire, configuration needed with ECP support. For a more general overview/example, see the IdPEnableECP topic.
This profile is configured by adding the <ProfileConfiguration xsi:type="saml:SAML2ECPProfile"/>
element to a <RelyingParty>
definition.
<ProfileConfiguration xsi:type="saml:SAML2ECPProfile" /> |
<ProfileConfiguration xsi:type="saml:SAML2ECPProfile" signAssertions="always" includeAttributeStatement="true"/> |
In order to identify the user the web server or Servlet container must expose the user's principal name via the REMOTE_USER header. This is normally done by protecting the ECP endpoint, /SAML2/SOAP/ECP
by default, via HTTP BASIC authentication.
In addition, older versions of the IdP do not have the necessary declarations in the handler.xml file to support the profile endpoint for this feature. To fix this, you will need to add in changes that have occurred between the your version of handler.xml and the newer default version. The XML involved is embedded below.
<ProfileHandler xsi:type="SAML2ECP" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"> <RequestPath>/SAML2/SOAP/ECP</RequestPath> </ProfileHandler> |
The SAML2 ECP profile configuration supports the following advanced configuration attributes:
Count
attribute in the assertion's ProxyRestriction
element, defaults to 0NotBefore
timestamp in the assertions' validity conditions, defaults to trueIn addition, the SAML 2 ECP profile configuration element supports two child elements.
<Audience>
, whose content is used to populate the <Audience>
elements of <AudienceRestriction>
element. This element may appear any number of times, one for each audience.<ProxyAudience>
, whose content is used to populate the <Audience>
elements of the <ProxyRestriction
> condition element. This element may appear any number of times, one for each audience.Because this profile requires server/container configuration above and beyond the normal IdP install process the install-time metadata generator will generate metadata with the ECP endpoint commented out. If you are using this profile, you may want to include that endpoint in the production metadata you supply to federations or SPs, although in practice it is only useful if the ECP client code being used happens to support metadata in some way.