Relying Party SAML 2 ECP Profile Configuration

This profile configuration enables and configures the SAML 2 ECP profile. This feature is available in V2.3.0 and later.

This is part of, but not the entire, configuration needed with ECP support. For a more general overview/example, see the IdPEnableECP topic.

Basic Configuration

This profile is configured by adding the <ProfileConfiguration xsi:type="saml:SAML2ECPProfile"/> element to a <RelyingParty> definition.

<ProfileConfiguration xsi:type="saml:SAML2ECPProfile" />
<ProfileConfiguration xsi:type="saml:SAML2ECPProfile"

In order to identify the user the web server or Servlet container must expose the user's principal name via the REMOTE_USER header. This is normally done by protecting the ECP endpoint, /SAML2/SOAP/ECP by default, via HTTP BASIC authentication.

In addition, older versions of the IdP do not have the necessary declarations in the handler.xml file to support the profile endpoint for this feature. To fix this, you will need to add in changes that have occurred between the your version of handler.xml and the newer default version. The XML involved is embedded below.

<ProfileHandler xsi:type="SAML2ECP"

Advanced Configuration

The SAML2 ECP profile configuration supports the following advanced configuration attributes:

In addition, the SAML 2 ECP profile configuration element supports two child elements.


Because this profile requires server/container configuration above and beyond the normal IdP install process the install-time metadata generator will generate metadata with the ECP endpoint commented out. If you are using this profile, you may want to include that endpoint in the production metadata you supply to federations or SPs, although in practice it is only useful if the ECP client code being used happens to support metadata in some way.