ECP is a SOAP-based interaction with the IdP that supports non-browser application uses of SAML.

If your IdP relies on the Password login flow, the system automatically supports ECP via HTTP Basic authentication headers as long as the client provides the WWW-Authenticate header itself without being challenged. There's nothing you need to set up.

If your IdP supports the RemoteUser login flow via HTTP Basic authentication (not terribly likely, but possible), then you can extend the protection of your authentication setup to include the path to the ECP handler, at /idp/profile/SAML2/SOAP/ECP.

If not, then you will have to add additional configuration to your web server, Java container, etc. to protect this path. The most common mechanism for this will be HTTP Basic authentication, and most ECP clients would typically support that. Using client certificates is a possibility as well, but you would likely need control over the client to ensure support for that.

While it would be impractical to document how you would set up authentication because it is specific to your web server and your authentication source(s), one example that is demonstrated here would be JAAS. The IdP supports JAAS login modules to accomplish username-password authentication, and most Java containers can also be configured to use the same JAAS configuration.

The code snippets in this page assume you are using Jetty as the web server for the deployed IdP. 



Modify your IdP's web.xml file to include the following change:

Then, modify your IdP's file to include the following change:


Modify your jetty.xml file to include the following change:

Modify your IdP's deployment descriptor file, (i.e. idp.xml) to match the following:

Then, create a jaas.ini file in the "start.d" directory of your JETTY_BASE to match the following:

Note that your jetty startup script MUST include the JAAS module, like the following: