Skip to end of metadata
Go to start of metadata

This plugin has been moved in to the core IdP distribution as of V2.3 and this documentation does NOT apply to the built-in version. ECP support is enabled by default in the configuration files that are shipped with V2.3 provided that container or web server authentication is enabled for the profile path of /idp/profile/SAML2/SOAP/ECP so that REMOTE_USER is set. More at IdPEnableECP.

IdP ECP Extension

This extension to the Shibboleth 2.x IdP adds some support for ECP. Authentication to the IdP from the enhanced client is limited to Basic Authentication.

See the SAML V2.0 Profiles Specification for details of the ECP profile.

Installation and configuration


  • An installed Shibboleth 2.x IdP
  • Basic Authn capability. Usually provided by Apache or Tomcat.


  1. Download the ECP extension.
  2. Run '$mvn install' to build.
  3. Copy the target jar, shibboleth-idp-ext-ecp-VERSION.jar to your idp-distribution/lib directory.
  4. Rerun the IdP's install script to build a new war file.



  1. Add this namespace definition:
  2. Add to the schema location:
  3. Add a profile handler declaration for the ECP SOAP handler


  1. Add this namespace definition:
  2. Add to the schema location:
  3. Add an ECP profile configuration to the default relying party definition or to each relying party's definition for whom you want to support ECP, e.g.:
    Signing and encryption options may vary with your cilents.

Basic auth

Configure your server to require Basic Auth for the ECP location. For Apache you might use:


A simple test is provided in the doc directory.

  1. Edit the shell script for your installation.
  2. Run the the script, from the IdP host or from a remote site.


According to the SAML V2.0 Errata an IdP supporting ECP can advertise a binding of:

and an SP can advertise:

  • No labels