Enabling ECP in SP 2.4.3

Scott Koranda skoranda at gmail.com
Sat Sep 10 01:29:41 BST 2011 

> I am trying to play with ECP in the Shibboleth SP (v2.4.3) and I'm not having much success.
> 
> There doesn't appear to be too much information about enabling ECP in the SP on the wiki. I see the NativeSPServiceSSO wiki page that seems to indicate that ECP is automatically enabled when SAML2 is present, but that doesn't appear to work. I also used the more verbose syntax in shibboleth2.xml to enable ECP via an md:AssertionConsumerService and the ECP="true" attribute on the SAML2 SessionInitiator (per the wiki and an email thread in May, 2011 on this mailing list).  That also does not appear to work. Finally, I see the open bug (SSPCPP-371) with what amounts to the same information. I tried the additional suggestion by Scott Cantor (adding ECP="true") to the SSO tag and that doesn't seem to work.
> 
> I am using two methods to test: the sample bash ECP client script (ecp.sh) on the Contributions wiki page, and manual testing using curl (based on ecp.sh and a cursory read of the relevant portion of the spec). What I see instead of an ECP-like response from my SP is the HTML redirecting to my discovery service.
> 
> Any suggestions? Tips? Pointers?

Assuming that your shibboleth2.xml has a <SessionInitiator>
that looks something like this

<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" >
  <SessionInitiator type="SAMLDS" URL="https://some.edu/DS" />
  <SessionInitiator type="SAML2" template="bindingTemplate.html" ECP="true" />  
</SessionInitiator>

try changing it to look something like this

<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" >
  <SessionInitiator type="SAML2" template="bindingTemplate.html" ECP="true" />  
  <SessionInitiator type="SAMLDS" URL="https://some.edu/DS" />
  <SessionInitiator type="SAML2" template="bindingTemplate.html" ECP="true" />  
</SessionInitiator>

That is, add a <SessionInitiator> of type SAML2 with ECP
enabled before the initiator for your discovery service, in
order to give the ECP hook a chance to "fire" before the
discovery service hook fires.

Scott K

More information about the users mailing list