Announcement Announcement Module
No announcement yet.
SAML ECP Profile Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • SAML ECP Profile


    I am asking here because I read that the Spring Security SAML Extension supports the ECP profile but I cannot find much information about the neccessary Information. I am using OpenAM as Identity Provider and set up the spring-security-saml2-sample as a service provider.

    Now, when I send an HTTP request to my SP like:

    GET /spring-security-saml2-sample/initializeECP HTTP/1.1
    PAOS: ver='urn:liberty:paos:2003-08'; 'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp'
    I do not receive a SOAP message as expected, but rather a HTTP 301 redirect to the IdP login page. When I add
    <property name="binding" value="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
    to the WebSSOProfileOptions I get an Exception:
    org.opensaml.saml2.metadata.provider.MetadataProviderException: User specified binding is not supported by the Identity Provider using profile urn:oasis:names:tc:SAML:2.0:profiles:SSO:browser
    What am I doing wrong? Do I need to enable the ECP profile for the SP implementation somewhere? I was not able to find any information on this topic neither in the documentation nor elsewhere online.

    I can provide my settings files later if neccessary. For the moment I do not want to produce so much noise.

    I hope you can help me. Thanks in advance.

  • #2

    There are two things to do in order to enable ECP; you have to disable IDP discovery and enable ECP in the ExtendedMetadata of your SP.

    In case you're using the MetadataGenerator you need to:
    • set property includeDiscovery to false on the MetadataGenerator bean
    • create a new ExtendedMetadata bean with property ecpEnabled set to true, and store it as property extendedMetadata under the MetadataGenerator bean

    The result will look like:

    <bean id="metadataGeneratorFilter" class="">
            <bean class="">
                <property name="includeDiscovery" value="false"/>
                <property name="extendedMetadata">
                    <bean class="">
                        <property name="ecpEnabled" value="true"/>
    The PAOS binding will be used automatically, you don't need to use WebSSOProfileOptions to set it.

    Cheers, Vladi


    • #3
      Great, that finally gives my the SOAP message I wanted. I suggest you add this property to the documentation.