Beginner ECP question

Mike Wiseman mike.wiseman at
Tue Sep 27 20:20:02 BST 2011

> Hi Scott,
> > Which entityID? You mean the SP? You shouldn't need entries for SPs,
> not
> > in general anyway. The default is fine.
> For our Windows Live at EDU setup, we have to have that in our relying-
> party.xml
> <!-- Windows Live -->
> <rp:RelyingParty id="uri:WindowsLiveID"
>      provider=""
>      defaultSigningCredentialRef="IdPCredential">
>    <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
>        signAssertions="conditional"
>        encryptAssertions="never"
>        encryptNameIds="never" />
>    <rp:ProfileConfiguration
>        xsi:type="saml:SAML2ECPProfile"
>        includeAttributeStatement="true"
>        assertionLifetime="PT5M"
>        assertionProxyCount="0"
>        signResponses="never"
>        signAssertions="always"
>        encryptAssertions="never"
>        encryptNameIds="never" />
> </rp:RelyingParty>
> The documentation that MS provided me with is for ECP setup BEFORE ECP
> was part of the core IdP install, so I've pieced together what I know,
> and found that I don't need much of the edits they tell me to do.
> When Icheck the status of the IdP, these two profiles are returned for
> uri:WindowsLiveID ..
> configured_communication_profile:
> urn:mace:shibboleth:2.0:profiles:saml2:sso
> configured_communication_profile:
> urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp
> > Mainly authentication, possibly via web.xml and container, or Apache,
> or
> > something else.
> Unfortunately, since I'm dealing with MS on this, I have no access to
> the other end and can not use that in my troubleshooting.  I guess
> what I'm after is, can I expect my IdP to respond to ECP requests
> given the above config and information?  That's really all I see that
> needs to be changed, or at least I hope it is.  I'm assuming that
> since the communication profile is loaded, that it has all of the
> necessary xml schema information in the default install.
> Terry

My institution also uses shib to provide webSSO and rich client access to live at edu. The following comments apply to this SP only. In my testing, the internal 2.3.3 IdP support for ECP does not work with the Microsoft SP. The ECP extension, when installed on the 2.3.3 IdP seems to work. I'll give you a quick view of what I've found so far but I too am waiting to discuss this with Microsoft support before raising alarms! The extension seems to use HTTP-POST endpoints when communicating with the SP whereas the builtin ECP support does not. The Microsoft SP metadata publishes those two endpoints but not an ECP endpoint which is required (Scott has mentioned this before) thus the errors in the idp logs I'm seeing. I think.    


Mike Wiseman
Manager, Information Security
Information + Technology Services
University of Toronto


More information about the users mailing list