The ECP profile is a SOAP-based interaction with the IdP that supports non-browser application uses of SAML.
If your IdP uses the RemoteUser with Basic Authentication (not terribly likely, but possible), then you can extend the protection of your authentication setup to include the path to the ECP handler, which is /idp/profile/SAML2/SOAP/ECP.
If not, then you will have to add additional configuration to your web server, Java container, etc. to protect this path. The most common mechanism for this will be HTTP Basic Authentication, and most ECP clients would typically support that. Using client certificates is certainly a possibility as well, but you would likely need control over the client to ensure support for that.
While it would be impractical to document how you would set up authentication because it is specific to your web server and your authentication source(s), one example that is demonstrated here would be JAAS. The IdP supports JAAS login modules to accomplish username-password authentication, and most Java containers can also be configured to use the same JAAS configuration.
The code snippets in this page assume you are using Jetty as the web server for the deployed IdP.
If you are only using password-based authentication, there is really nothing further for you to configure. The instructions that are listed below are only useful if you are doing non-password based authentication.
Modify your IdP's web.xml file to include the following change:
Then, modify your IdP's idp.properties file to include the following change:
Modify your jetty.xml file to include the following change:
Modify your IdP's deployment descriptor file, (i.e. idp.xml) to match the following:
Then, create a jaas.ini file in the "start.d" directory of your JETTY_BASE to match the following:
Note that your jetty startup script MUST include the JAAS module, like the following: