Best way to protect ECP endpoints

[Wessel, Keith]

All,

We're currently using Apache configuration logic to protect our ECP endpoint, something that we've been doing since IdP V2. Our endpoint is just protected with HTTP basic auth and authenticated against our Active Directory Kerberos service, same as our login page.

Looking at the docs on the wiki, it appears things haven't changed too much since V2:

https://wiki.shibboleth.net/confluence/display/IDP30/ECPConfiguration

There are a couple of things we'd like to improve here to help with future work, and I suspect there's a cleaner way to do it then what I've come upw ith so far.

First, as we plan to move our IdP to AWS, we'll be getting Apache out of the picture, fronting Jetty with an Amazon elastic load balancer instead of an httpd. Seems like the perfect opportunity to move to container-level auth.

Second, we'd love if our ECP endpoint would have a chance to honor IdP cookies of existing valid sessions before passing requests on to perform HTTP basic auth.

I know the first item is doable. One sentence on the above web page confuses me, though: "If you are only using password-based authentication, there is really nothing further for you to configure." Is this implying that I can just set up container-based HTTP basic auth in Jetty and add the endpoint to my web.xml? The last couple blocks in web.xml seem to imply this -- theones before support for legacy login.sjp. Or is there a way for the IdP to handle HTTP basic auth for the ECP endpoint without configuring anything container-level, using the same authn configuration that it uses to validate passwords submitted through the UI?

If the latter is true, it seems that honoring of cookies would also be doable.

Question is what is the basic recommendation for setting up ECP these days if you're doing password authentication on your ECP endpoint?

Thanks,
Keith