From 17ea6a4d9723b2e79b97ddc2b0a71efb1cdf74aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Frank=20Tam=C3=A1s?= <sitya@niif.hu>
Date: Thu, 22 Oct 2015 16:38:49 +0200
Subject: [PATCH] Documentation for ECP
---
docs/simplesamlphp-ecp-idp.txt | 65 ++++++++++++++++++++++
docs/simplesamlphp-reference-idp-hosted.md | 4 ++
2 files changed, 69 insertions(+)
create mode 100644 docs/simplesamlphp-ecp-idp.txt
diff --git a/docs/simplesamlphp-ecp-idp.txt b/docs/simplesamlphp-ecp-idp.txt
new file mode 100644
index 000000000..5a03be055
--- /dev/null
+++ b/docs/simplesamlphp-ecp-idp.txt
@@ -0,0 +1,65 @@
+Adding Enhanced Client or Proxy (ECP) Profile support to the IdP
+===============================================================
+
+This document describes the necessary steps to enable support for the [SAML V2.0 Enhanced Client or Proxy Profile Version 2.0](http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/cs01/saml-ecp-v2.0-cs01.pdf) on a simpleSAMLphp Identity Provider (IdP).
+
+The SAML V2.0 Enhanced Client or Proxy (ECP) profile is a SSO profile for use with HTTP, and clients with the capability to directly contact a principal's identity provider(s) without requiring discovery and redirection by the service provider, as in the case of a browser. It is particularly useful for desktop or server-side HTTP clients.
+
+Enabling ECP Profile on the IdP
+-----------------------------------
+
+To enable the IdP to send ECP assertions you must add the `saml20.ecp` option to the `saml20-idp-hosted` metadata file:
+
+ $metadata['__DYNAMIC:1__'] = array(
+ [....]
+ 'auth' => 'example-userpass',
+ 'saml20.ecp' => true,
+ );
+
+Note: authentication filters that require interaction with the user will not work with ECP.
+
+Add new metadata to SPs
+-----------------------
+
+After enabling the ECP Profile your IdP metadata will change. An additional ECP `SingleSignOnService` endpoint is added.
+You therefore need to update the metadata for your IdP at your SPs.
+The `saml20-idp-remote` metadata for simpleSAMLphp SPs should contain something like the following code:
+
+ 'SingleSignOnService' =>
+ array (
+ 0 =>
+ array (
+ 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+ 'Location' => 'https://idp.example.org/simplesaml/saml2/idp/SSOService.php',
+ ),
+ 1 =>
+ array (
+ 'index' => 0,
+ 'Location' => 'https://didp.example.org/simplesaml/saml2/idp/SSOService.php',
+ 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
+ ),
+ ),
+
+SP metadata on the IdP
+----------------------
+
+A SP using the ECP Profile must have an `AssertionConsumerService` endpoint supporting that profile.
+This means that you have to use the complex endpoint format in `saml20-sp-remote` metadata.
+In general, this should look like the following code:
+
+ 'AssertionConsumerService' =>
+ array (
+ 0 =>
+ array (
+ 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+ 'Location' => 'https://sp.example.org/Shibboleth.sso/SAML2/POST',
+ 'index' => 1,
+ ),
+ 1 =>
+ array (
+ 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:PAOS',
+ 'Location' => 'https://sp.example.org/ECP',
+ 'index' => 2,
+ ),
+ ),
+
diff --git a/docs/simplesamlphp-reference-idp-hosted.md b/docs/simplesamlphp-reference-idp-hosted.md
index 0e5cb6298..712e2b45c 100644
--- a/docs/simplesamlphp-reference-idp-hosted.md
+++ b/docs/simplesamlphp-reference-idp-hosted.md
@@ -255,6 +255,10 @@ The following SAML 2.0 options are available:
: Note that this requires a configured memcache server.
+`saml20.ecp`
+: Set to `true` to enable the IdP to recieve authnrequests and send responses according the Enhanced Client or Proxy (ECP) Profile. Note: authentication filters that require interaction with the user will not work with ECP.
+ Defaults to `false`.
+
`saml20.hok.assertion`
: Set to `TRUE` to enable the IdP to send responses according the [Holder-of-Key Web Browser SSO Profile](./simplesamlphp-hok-idp).
Defaults to `FALSE`.
--
GitLab