Announcement Announcement Module
Collapse
No announcement yet.
SAML ECP Profile Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • SAML ECP Profile

    Hello,

    I am asking here because I read that the Spring Security SAML Extension supports the ECP profile but I cannot find much information about the neccessary Information. I am using OpenAM as Identity Provider and set up the spring-security-saml2-sample as a service provider.

    Now, when I send an HTTP request to my SP like:

    Code:
    GET /spring-security-saml2-sample/initializeECP HTTP/1.1
    Host: XXXXXXXXXXXXXXXXXXXXX
    Accept:'application/vnd.paos+xml'
    PAOS: ver='urn:liberty:paos:2003-08'; 'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp'
    I do not receive a SOAP message as expected, but rather a HTTP 301 redirect to the IdP login page. When I add
    Code:
    <property name="binding" value="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
    to the WebSSOProfileOptions I get an Exception:
    Code:
    org.opensaml.saml2.metadata.provider.MetadataProviderException: User specified binding is not supported by the Identity Provider using profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser
    What am I doing wrong? Do I need to enable the ECP profile for the SP implementation somewhere? I was not able to find any information on this topic neither in the documentation nor elsewhere online.

    I can provide my settings files later if neccessary. For the moment I do not want to produce so much noise.

    I hope you can help me. Thanks in advance.

  • #2
    Hi,

    There are two things to do in order to enable ECP; you have to disable IDP discovery and enable ECP in the ExtendedMetadata of your SP.

    In case you're using the MetadataGenerator you need to:
    • set property includeDiscovery to false on the MetadataGenerator bean
    • create a new ExtendedMetadata bean with property ecpEnabled set to true, and store it as property extendedMetadata under the MetadataGenerator bean

    The result will look like:

    Code:
    <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
        <constructor-arg>
            <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
                <property name="includeDiscovery" value="false"/>
                <property name="extendedMetadata">
                    <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                        <property name="ecpEnabled" value="true"/>
                    </bean>
                </property>
            </bean>
        </constructor-arg>
    </bean>
    The PAOS binding will be used automatically, you don't need to use WebSSOProfileOptions to set it.

    Cheers, Vladi

    Comment


    • #3
      Great, that finally gives my the SOAP message I wanted. I suggest you add this property to the documentation.

      Comment

      Working...
      X