Enabling ECP in SP 2.4.3

Scott Koranda skoranda at gmail.com
Sat Sep 10 01:56:57 BST 2011 

> On 9/9/11 8:29 PM, "Scott Koranda" <skoranda at gmail.com> wrote:
> 
> >That is, add a <SessionInitiator> of type SAML2 with ECP
> >enabled before the initiator for your discovery service, in
> >order to give the ECP hook a chance to "fire" before the
> >discovery service hook fires.
> 
> Is there some reason why you would have used the other order?

(not sure if you are addressing me or the OP...)

My evolutionary path looked like this:

- start with older SP version so using the "old" syntax and
  working against a single IdP (no federation), resulting in

<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie" entityID="https://my.org/idp/shibboleth">
 <SessionInitiator type="SAML2" template="bindingTemplate.html" />  
</SessionInitiator>

- add a discovery service as early investigation into federation, resulting in

<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie">
 <SessionInitiator type="SAMLDS" URL="https://my.org/DS" />
 <SessionInitiator type="SAML2" template="bindingTemplate.html" />  
</SessionInitiator>

- decide that ECP is interesting and try to enable it after a
  cursory reading of the ECP option documentation for the
  SAML2 initiator, resulting in

<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie">
 <SessionInitiator type="SAMLDS" URL="https://my.org/DS" />
 <SessionInitiator type="SAML2" template="bindingTemplate.html" ECP="true"/>  
</SessionInitiator>

- continually get redirected to the DS and after reading the
  documentation again for the Chaining initiator add another
  SAML2 initiator resulting in

<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet" relayState="cookie">
 <SessionInitiator type="SAML2" template="bindingTemplate.html" ECP="true"/>  
 <SessionInitiator type="SAMLDS" URL="https://my.org/DS" />
 <SessionInitiator type="SAML2" template="bindingTemplate.html" ECP="true"/>  
</SessionInitiator>

- upgrade to 2.4.x and decide to keep the "old" configuration
  because, frankly, it makes more sense to me and I don't find
  it complicated

Scott K

More information about the users mailing list