How does ECP know where to send AuthnRequest to IdP?

Yaowen Tu yaowen.tu at
Wed Aug 22 02:09:02 EDT 2012

I am using IdP version 2.3.6, I have read through wiki, and
some relevant articles.

If I understand correctly:
1. Shib IdP 2.3.6 has ECP enabled by default.
2. At some point ECP client needs to send AuthnRequest SOAP request to IdP.

My question is: How does ECP know where to send the AuthnRequest? In the
SAML doc I see this part:

ECP Determines Identity Provider
In step 3, the ECP obtains the location of an endpoint at an identity
provider for the authentication
request protocol that supports its preferred binding. The means by which
this is accomplished is
implementation-dependent. The ECP MAY use the SAML identity provider
discovery profile
described in Section 4.3.

So, it is actually implementation-dependent, I want to know how Shib IdP
works? I don't see any information about ECP in the idp-metadata file.

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list