ECP

ECP stands for "Enhanced Client or Proxy", a SAML v.2.0 profile which allows for the exchange of SAML attributes outside the context of a web browser. Thus, ECP can be very useful for non-browser cyberinfrastructure applications (command-line, thick-client, etc.). Below are a few links describing the ECP profile in detail. To enable ECP in your Shibboleth IdP installation, see: In the ECP profile, both the Service Provider (SP) and the Identity Provider (IdP) must understand the ECP SOAP/PAOS binding. The CILogon Service Provider supports fetching an end-user X.509 certificate using any InCommon-member ECP-enabled IdP.

Note that your IdP must release the attributes required by CILogon for you to obtain a certificate. Please test that your IdP is releasing the needed attributes by visiting https://cilogon.org/testidp/.

A list of InCommon-member ECP-enabled IdPs is maintained on the CILogon servers. If you would like to add your ECP-enabled IdP to this list, please send email to help@cilogon.org.

ECP at Fermilab

Fermilab users should use the cigetcert tool to obtain certificates from CILogon using ECP. 

ECP for LIGO

LIGO users should use the ligo-proxy-init tool to obtain certificates from CILogon using ECP.

CILogon's ecp.pl script

Below is a Perl script which can fetch a certificate or PKCS12 credential from the CILogon Service.
  • ecp.pl - Fetch a certificate from the CILogon Service via ECP
This Perl script can be run interactively (where the user will be prompted for all information) or in batch mode (by the use of command line options). Run "ecp.pl -h" to see usage information.

The script relies on several Perl packages, all of which are available in CPAN or via the package manager for your O/S. If you receive an error message about SSL and Certificate Authorities, you may also need to install the Mozilla::CA Perl module. For example:

$ perl -MCPAN -e 'install Crypt::SSLeay'
$ perl -MCPAN -e 'install Mozilla::CA'

The script also requires OpenSSL. If you have installed the openssl binary in a location other than /usr/bin/openssl, you will need to modify the script to point to the location of openssl on your system.

ecp.pl examples

The following transcript demonstrates how to use the ecp.pl script to obtain a short-lived (12 hour) certificate from CILogon on the command-line.
$ curl -sSO https://cilogon.org/ecp.pl
$ perl ecp.pl --get cert -c create -k userkey.pem -o usercert.pem -t 12
Select an Identity Provider (IdP):
  1> Clemson University
  2> LIGO Scientific Collaboration
  3> LTER Network
  4> Penn State University
  5> ProtectNetwork
  6> University of Chicago
  7> University of Illinois at Urbana-Champaign
  8> University of Michigan
  9> University of Tennessee
 10> University of Utah
 11> University of Washington
 12> University of Wisconsin-Madison
 13> Specify the ECP endpoint URL of another ECP-enabled IdP

Choose [7]: 
Enter a username for the Identity Provider: jbasney
Enter a password for the Identity Provider: ********
$ openssl x509 -subject -noout < usercert.pem
subject= /DC=org/DC=cilogon/C=US/O=University of Illinois at Urbana-Champaign/CN=James Basney A534
The following transcript demonstrates how to use the ecp.pl script to obtain short-lived (12 hour) credentials for use with the Globus Toolkit.
$ curl -sSO https://cilogon.org/ecp.pl
$ perl ecp.pl --proxyfile --certreq create --lifetime 264 --vo "osg" --idpname "Urbana-Champaign"
Enter a username for the Identity Provider: jbasney
Enter a password for the Identity Provider: 
$ grid-proxy-info
subject  : /DC=org/DC=cilogon/C=US/O=University of Illinois at Urbana-Champaign/CN=James Basney A534
issuer   : /DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Basic CA 1
identity : /DC=org/DC=cilogon/C=US/O=University of Illinois at Urbana-Champaign/CN=James Basney A534
type     : end entity credential
strength : 2048 bits
path     : /tmp/x509up_u501
timeleft : 263:59:54  (11.0 days)
The above example also illustrates how to specify your virtual organization and identity provider on the command-line.

Technical Details

The following sequence diagram illustrates the network protocol used for CILogon's ECP support. The ecp.pl command-line interface performs HTTP Basic authentication (username/password) with the chosen SAML identity provider (IdP) to obtain a SAML authentication assertion for use with CILogon. CILogon never sees the user's password.

A Basic ECP IdP Test Script

The testecp.sh script (modified from the original at shibboleth.net) provides a basic test for a SAML ECP enabled identity provider. Simply modify the parameters at the top of the script to match your identity provider and service provider configuration. To test your service provider using ProtectNetwork's IdP, you must first register your SP with ProtectNetwork.
ą
Jim Basney,
Oct 23, 2012, 8:23 AM
ċ
testecp.sh
(2k)
Jim Basney,
May 1, 2015, 9:41 AM