Page tree
Skip to end of metadata
Go to start of metadata

The ECP profile is a SOAP-based interaction with the IdP that supports non-browser application uses of SAML.

If your IdP uses the RemoteUser with Basic Authentication (not terribly likely, but possible), then you can extend the protection of your authentication setup to include the path to the ECP handler, which is /idp/profile/SAML2/SOAP/ECP.

If not, then you will have to add additional configuration to your web server, Java container, etc. to protect this path. The most common mechanism for this will be HTTP Basic Authentication, and most ECP clients would typically support that. Using client certificates is certainly a possibility as well, but you would likely need control over the client to ensure support for that.

While it would be impractical to document how you would set up authentication because it is specific to your web server and your authentication source(s), one example that is demonstrated here would be JAAS. The IdP supports JAAS login modules to accomplish username-password authentication, and most Java containers can also be configured to use the same JAAS configuration.

The code snippets in this page assume you are using Jetty as the web server for the deployed IdP. 

Password-based Authentication

If you are only using password-based authentication, there is really nothing further for you to configure. The instructions that are listed below are only useful if you are doing non-password based authentication.

Configuration

IdP

Modify your IdP's web.xml file to include the following change:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/Authn/RemoteUser</url-pattern>
        <url-pattern>/profile/SAML2/SOAP/ECP</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>**</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>ShibUserPassAuth</realm-name>
</login-config>

Then, modify your IdP's idp.properties file to include the following change:

# Regular expression matching login flows to enable, e.g. IPAddress|Password
idp.authn.flows=Password|RemoteUserInternal


Jetty

Modify your jetty.xml file to include the following change:

 <Call name="addBean">
      <Arg>
        <New class="org.eclipse.jetty.jaas.JAASLoginService">
          <Set name="name">ShibUserPassAuth</Set>
          <Set name="LoginModuleName">ShibUserPassAuth</Set>
        </New>
      </Arg>
 </Call>

Modify your IdP's deployment descriptor file, (i.e. idp.xml) to match the following:

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
  <!-- Adjust the following per your deployment -->
  <Set name="war">/opt/shibboleth-idp/war/idp.war</Set>
  <Set name="contextPath">/idp</Set>
  <Set name="extractWAR">false</Set>
  <Set name="copyWebDir">false</Set>
  <Set name="copyWebInf">true</Set>
  <Get name="securityHandler">
   <Set name="realmName">ShibUserPassAuth</Set>
  </Get>
</Configure>

Then, create a jaas.ini file in the "start.d" directory of your JETTY_BASE to match the following:

--module=jaas
# Adjust the following path per your deployment
jaas.login.conf=../shibboleth-idp/conf/authn/jaas.config

Note that your jetty startup script MUST include the JAAS module, like the following:

$JRE_HOME/bin/java -jar jetty/start.jar --add-to-startd=https,deploy,annotations,jstl,logging,requestlog,ext,jaas


1 Comment

  1. It looks like there is a typo in the sample jaas.ini file - the --module=jaas part is not a property.  In my case, with Jetty bundled with the Windows installer, I put that line into the start.ini file .... but as the list of modules in start.ini clashes with list of modules on the command-line here, I'll leave this to the owners of this page (Misagh Moayyed) to resolve...