In the documentation at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO , in the section "Element Content", it states that the "SAML2" element enables "SAML 2.0 Browser SSO and ECP profiles". I tried using this element in my shibboleth2.xml configuration as follows.
Browser-based access works as expected. But ECP access gets immediately redirected to the InCommon WAYF rather than doing any sort of ECP handling.
If I instead configure shibboleth2.xml using the (significantly more verbose) 2.3-style configuration, ECP works correctly. Notice the 'ECP="true"' attribute for the SAML2 <SessionInitiator> below. This configuration works for both browser SSO and ECP.
So it appears that ECP works with SP 2.4.2, but requires the older style configuration. The newer <SSO>SAML2</SSO> configuration doesn't work with my ECP tests.
Not clear yet what my intent was, but using properties on the <SSO> element doesn't carry through to the child plugins created inside the chain because of the order of initialization and other factors.
Fixed
Pinned fields
Click on the next to a field label to start pinning.
Reported by Terry Fleury, moved from old Jira.
In the documentation at https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO , in the section "Element Content", it states that the "SAML2" element enables "SAML 2.0 Browser SSO and ECP profiles". I tried using this element in my shibboleth2.xml configuration as follows.
<!-- --------------BEGIN SESSIONS-------------------------- -->
<Sessions checkAddress="false" handlerSSL="false" relayState="ss:mem"
cookieProps="; path=/; secure">
<SSO discoveryProtocol="SAMLDS"
discoveryURL="https://wayf.incommonfederation.org/DS/WAYF">
SAML2 SAML1
</SSO>
<Logout>SAML2 Local</Logout>
<NameIDMgmt>SAML2</NameIDMgmt>
</Sessions>
<!-- --------------END SESSIONS-------------------------- -->
Browser-based access works as expected. But ECP access gets immediately redirected to the InCommon WAYF rather than doing any sort of ECP handling.
If I instead configure shibboleth2.xml using the (significantly more verbose) 2.3-style configuration, ECP works correctly. Notice the 'ECP="true"' attribute for the SAML2 <SessionInitiator> below. This configuration works for both browser SSO and ECP.
<!-- --------------BEGIN SESSIONS-------------------------- -->
<Sessions checkAddress="false" handlerSSL="false" relayState="ss:mem"
cookieProps="; path=/; secure"
handlerURL="/Shibboleth.sso">
<SessionInitiator type="Chaining" Location="/Login" id="InCommon"
isDefault="true" relayState="cookie">
<SessionInitiator type="SAML2"
template="bindingTemplate.html" ECP="true" />
<SessionInitiator type="SHIB1" />
<SessionInitiator type="SAMLDS"
URL="https://wayf.incommonfederation.org/DS/WAYF" />
</SessionInitiator>
<md:AssertionConsumerService Location="/SAML2/POST" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:AssertionConsumerService Location="/SAML/POST" index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
<md:AssertionConsumerService Location="/SAML/Artifact" index="6"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>
<LogoutInitiator type="Chaining" Location="/Logout">
<LogoutInitiator type="SAML2" template="bindingTemplate.html"/>
<LogoutInitiator type="Local"/>
</LogoutInitiator>
<md:SingleLogoutService Location="/SLO/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:SingleLogoutService Location="/SLO/Redirect"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:SingleLogoutService Location="/SLO/POST"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleLogoutService Location="/SLO/Artifact"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:ManageNameIDService Location="/NIM/SOAP"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:ManageNameIDService Location="/NIM/Redirect"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
<md:ManageNameIDService Location="/NIM/POST"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:ManageNameIDService Location="/NIM/Artifact"
conf:template="bindingTemplate.html"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:ArtifactResolutionService Location="/Artifact/SOAP" index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
</Sessions>
<!-- --------------END SESSIONS-------------------------- -->
So it appears that ECP works with SP 2.4.2, but requires the older style configuration. The newer <SSO>SAML2</SSO> configuration doesn't work with my ECP tests.