ECP is a SOAP-based interaction with the IdP that supports non-browser application uses of SAML.

If your IdP relies on the Password login flow, the system automatically supports ECP via HTTP Basic authentication headers as long as the client provides the WWW-Authenticate header itself without being challenged. There's nothing you need to set up.

If your IdP supports the RemoteUser login flow via HTTP Basic authentication (not terribly likely, but possible), then you can extend the protection of your authentication setup to include the path to the ECP handler, at /idp/profile/SAML2/SOAP/ECP.

If not, then you will have to add additional configuration to your web server, Java container, etc. to protect this path. The most common mechanism for this will be HTTP Basic authentication, and most ECP clients would typically support that. Using client certificates is a possibility as well, but you would likely need control over the client to ensure support for that.

While it would be impractical to document how you would set up authentication because it is specific to your web server and your authentication source(s), one example that is demonstrated here would be JAAS. The IdP supports JAAS login modules to accomplish username-password authentication, and most Java containers can also be configured to use the same JAAS configuration.

The code snippets in this page assume you are using Jetty as the web server for the deployed IdP.

Password-based Authentication

If you are only using password-based authentication, there is really nothing further for you to configure. The instructions that are listed below are only useful if you are doing non-password based authentication.

Configuration

IdP

Modify your IdP's web.xml file to include the following change:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/Authn/RemoteUser</url-pattern>
        <url-pattern>/profile/SAML2/SOAP/ECP</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>**</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>ShibUserPassAuth</realm-name>
</login-config>

Then, modify your IdP's idp.properties file to include the following change:

# Regular expression matching login flows to enable, e.g. IPAddress|Password
idp.authn.flows=Password|RemoteUserInternal

Jetty

Modify your jetty.xml file to include the following change:

 <Call name="addBean">
      <Arg>
        <New class="org.eclipse.jetty.jaas.JAASLoginService">
          <Set name="name">ShibUserPassAuth</Set>
          <Set name="LoginModuleName">ShibUserPassAuth</Set>
        </New>
      </Arg>
 </Call>

Modify your IdP's deployment descriptor file, (i.e. idp.xml) to match the following:

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
  <!-- Adjust the following per your deployment -->
  <Set name="war">/opt/shibboleth-idp/war/idp.war</Set>
  <Set name="contextPath">/idp</Set>
  <Set name="extractWAR">false</Set>
  <Set name="copyWebDir">false</Set>
  <Set name="copyWebInf">true</Set>
  <Get name="securityHandler">
   <Set name="realmName">ShibUserPassAuth</Set>
  </Get>
</Configure>

Then, create a jaas.ini file in the "start.d" directory of your JETTY_BASE to match the following:

--module=jaas
# Adjust the following path per your deployment
jaas.login.conf=../shibboleth-idp/conf/authn/jaas.config

Note that your jetty startup script MUST include the JAAS module, like the following:

$JRE_HOME/bin/java -jar jetty/start.jar --add-to-startd=https,deploy,annotations,jstl,logging,requestlog,ext,jaas

Related articles

Filter by label

There are no items with the selected labels at this time.