Results 1 to 3 of 3

Thread: SAML ECP Profile

  1. Mar 15th, 2013, 08:57 AM #1
    cehser
    cehser is offline Junior Member
    Join Date
    Mar 2013
    Posts
    2

    Default SAML ECP Profile

    Hello,

    I am asking here because I read that the Spring Security SAML Extension supports the ECP profile but I cannot find much information about the neccessary Information. I am using OpenAM as Identity Provider and set up the spring-security-saml2-sample as a service provider.

    Now, when I send an HTTP request to my SP like:

    Code:
    GET /spring-security-saml2-sample/initializeECP HTTP/1.1
Host: XXXXXXXXXXXXXXXXXXXXX
Accept:'application/vnd.paos+xml'
PAOS: ver='urn:liberty:paos:2003-08'; 'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp'
    I do not receive a SOAP message as expected, but rather a HTTP 301 redirect to the IdP login page. When I add
    Code:
    <property name="binding" value="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
    to the WebSSOProfileOptions I get an Exception:
    Code:
    org.opensaml.saml2.metadata.provider.MetadataProviderException: User specified binding is not supported by the Identity Provider using profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser
    What am I doing wrong? Do I need to enable the ECP profile for the SP implementation somewhere? I was not able to find any information on this topic neither in the documentation nor elsewhere online.

    I can provide my settings files later if neccessary. For the moment I do not want to produce so much noise.

    I hope you can help me. Thanks in advance.
    Reply With Quote Reply With Quote
  2. Mar 16th, 2013, 04:31 AM #2
    vsch
    vsch is offline Senior Member
    Join Date
    Feb 2009
    Location
    Helsinki
    Posts
    151

    Default

    Hi,

    There are two things to do in order to enable ECP; you have to disable IDP discovery and enable ECP in the ExtendedMetadata of your SP.

    In case you're using the MetadataGenerator you need to:

    • set property includeDiscovery to false on the MetadataGenerator bean
    • create a new ExtendedMetadata bean with property ecpEnabled set to true, and store it as property extendedMetadata under the MetadataGenerator bean


    The result will look like:

    Code:
    <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg>
        <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
            <property name="includeDiscovery" value="false"/>
            <property name="extendedMetadata">
                <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    <property name="ecpEnabled" value="true"/>
                </bean>
            </property>
        </bean>
    </constructor-arg>
</bean>
    The PAOS binding will be used automatically, you don't need to use WebSSOProfileOptions to set it.

    Cheers, Vladi
    Reply With Quote Reply With Quote
  3. Mar 17th, 2013, 07:39 AM #3
    cehser
    cehser is offline Junior Member
    Join Date
    Mar 2013
    Posts
    2

    Default

    Great, that finally gives my the SOAP message I wanted. I suggest you add this property to the documentation.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules