Enhanced Client or Proxy Profile Version 2.0, can Azure AD be used as the IdP?

Wessel, Keith kwessel at illinois.edu
Tue Apr 19 16:40:32 UTC 2022

Amazingly, Okta claims they do. Can't say if it actually works.

This page is very vague:


But there are plenty of other references in their docs to ECP.

Scary stuff...

I, too, would be very surprised if Azure AD supported ECP, though. They've mostly adopted OIDC and "sign into work or school" flows for getting the credentials in place to support non-browser interactions. Looks like some folks have asked in the MSDN forums but gotten nothing in terms of helpful responses. There's probably a reason that those of us using Azure AD and ADFS are proxying through Shib to get there: Shib can still enforce the ECP endpoints.


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott via users
Sent: Tuesday, April 19, 2022 11:22 AM
To: Shib Users <users at shibboleth.net>
Cc: Cantor, Scott <cantor.2 at osu.edu>
Subject: Re: Enhanced Client or Proxy Profile Version 2.0, can Azure AD be used as the IdP?

On 4/19/22, 11:58 AM, "users on behalf of Paul B Hill via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:

> I realize this is the Shibboleth user’s list and this is slightly off topic. But, does anyone on the list know if Azure
> AD may be used as an IDP for applications using Enhanced Client or Proxy Profile Version 2.0?

I have never heard anything to suggest it supports ECP.

> I know that Okta supports this, but so far I have not found any current definitive statements about Azure AD. 

I seriously doubt Okta supports ECP. Maybe I'm wrong.

-- Scott

For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!DZ3fjg!qGNwqfJX2qPXoJgfjmcTuhTVP9xNLizh5kxGpswlTNPNpTCk4Cg5_2-8HevTYgWnJQ$ 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list