Best way to protect ECP endpoints

Wessel, Keith kwessel at
Tue Mar 27 17:20:15 EDT 2018

Sorry, I misspoke on the prompting. Our ECP script knows that it will need to supply the username and password headers, and it does so without being prompted. I imagine any good ECP implementation already does that.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Tuesday, March 27, 2018 4:17 PM
To: Shib Users <users at>
Subject: Re: Best way to protect ECP endpoints

On 3/27/18, 5:14 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

> Alright, I feel quite stupid! I never tried just commenting out the Apache Location block for the ECP endpoint and hitting > it to see what happens. Works like a charm: prompts for authentication,

It won't prompt, that is an inherent limitation of this approach. It will consume a Basic-Auth header (or in theory any HTTP authentication) but it won't challenge for one. I couldn't come up with a way to do it within the webflow.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list