Relying Party SAML 2 ECP Profile Configuration

This profile configuration enables and configures the SAML 2 ECP profile. This feature is available in V2.3.0 and later.

This is part of, but not the entire, configuration needed with ECP support. For a more general overview/example, see the IdPEnableECP topic.

Basic Configuration

This profile is configured by adding the <ProfileConfiguration xsi:type="saml:SAML2ECPProfile"/> element to a <RelyingParty> definition.

Example SAML2 ECP Profile Configuration

<ProfileConfiguration xsi:type="saml:SAML2ECPProfile" />

Example SAML2 ECP Profile Configuration Overriding some Defaults

<ProfileConfiguration xsi:type="saml:SAML2ECPProfile"
                      signAssertions="always"
                      includeAttributeStatement="true"/>

In order to identify the user the web server or Servlet container must expose the user's principal name via the REMOTE_USER header. This is normally done by protecting the ECP endpoint, /SAML2/SOAP/ECP by default, via HTTP BASIC authentication.

In addition, older versions of the IdP do not have the necessary declarations in the handler.xml file to support the profile endpoint for this feature. To fix this, you will need to add in changes that have occurred between the your version of handler.xml and the newer default version. The XML involved is embedded below.

"Example additions to handler.xml"

<ProfileHandler xsi:type="SAML2ECP"
      inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
      outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
    <RequestPath>/SAML2/SOAP/ECP</RequestPath>
</ProfileHandler>

Advanced Configuration

The SAML2 ECP profile configuration supports the following advanced configuration attributes:

includeAttributeStatement - a boolean flag indicating whether to include an attribute statement in addition to the authentication statement, defaults to true
outboundArtifactType - Default artifact type used when sending responses via artifact, defaults to 4
assertionLifetime - The lifetime, in milliseconds, for issued assertions, defaults to 300000 (5 minutes)
assertionProxyCount - A non-negative integer used to populate the Count attribute in the assertion's ProxyRestriction element, defaults to 0
includeConditionsNotBefore - (V2.4.0+) Include a NotBefore timestamp in the assertions' validity conditions, defaults to true
skipEndpointValidationWhenSigned - (V2.4.0+) Allows the IdP to skip the requirement for response endpoints to be registered in SP metadata if the SAML request is signed by the SP, defaults to false
signResponses - see Configuring XML Signature and Encryption
signAssertions - see Configuring XML Signature and Encryption
signRequests - see Configuring XML Signature and Encryption
encryptAssertions - see Configuring XML Signature and Encryption
encryptNameIds - see Configuring XML Signature and Encryption

In addition, the SAML 2 ECP profile configuration element supports two child elements.

<Audience>, whose content is used to populate the <Audience> elements of <AudienceRestriction> element. This element may appear any number of times, one for each audience.
<ProxyAudience>, whose content is used to populate the <Audience> elements of the <ProxyRestriction> condition element. This element may appear any number of times, one for each audience.

Metadata

Because this profile requires server/container configuration above and beyond the normal IdP install process the install-time metadata generator will generate metadata with the ECP endpoint commented out. If you are using this profile, you may want to include that endpoint in the production metadata you supply to federations or SPs, although in practice it is only useful if the ECP client code being used happens to support metadata in some way.