CILogon's ECP support is experimental. Please contact us at help@cilogon.org if you try ECP with CILogon to tell us how it worked for you.
ECP stands for "Enhanced Client or Proxy", a SAML v.2.0 profile which allows for the exchange of SAML attributes outside the context of a web browser. Thus, ECP can be very useful for non-browser cyberinfrastructure applications (command-line, thick-client, etc.). Below are a few links describing the ECP profile in detail. SAML V.2.0 Profile (See Section 4.2-"Enhanced Client or Proxy (ECP) Profile")
SAML V.2.0 ECP Profile Version 2.0 (Working Draft 02) Shibboleth 2.x ECP In the ECP profile, both the Service Provider (SP) and the Identity Provider (IdP) must understand the ECP SOAP/PAOS binding. The CILogon Service Provider supports fetching an end-user X.509 certificate using any InCommon-member ECP-enabled IdP. Below is a Perl script which can fetch a certificate or PKCS12 credential from the CILogon Service. ecp.pl - Fetch a certificate from the CILogon Service via ECPThis Perl script can be run interactively (where the user will be prompted for all information) or in batch mode (by the use of command line options). Run " ecp.pl -h" to see usage information.The script relies on several Perl packages, all of which are available in CPAN or via the package manager for your O/S. The script also requires OpenSSL. If you have installed the openssl binary in a location other than /usr/bin/openssl, you will need to modify the script to point to the location of openssl on your system.Note that your IdP must release the attributes required by CILogon for you to obtain a certificate. Please test that your IdP is releasing the needed attributes by visiting https://cilogon.org/secure/testidp/. A list of InCommon-member ECP-enabled IdPs is maintained on the CILogon servers. If you would like to add your ECP-enabled IdP to this list, please send email to help@cilogon.org. ExampleThe following transcript demonstrates how to use the ecp.pl script to obtain a short-lived (12 hour) certificate from CILogon on the command-line.$ curl -sSO https://cilogon.org/ecp.pl $ perl ecp.pl --get cert -c create -k userkey.pem -o usercert.pem -t 12 Select an Identity Provider (IdP): 1> LTER Network 2> ProtectNetwork 3> University of Chicago 4> University of Washington 5> Specify the URL of another IdP Choose [2]: 2 Enter a username for the Identity Provider: jbasney Enter a password for the Identity Provider: ******** $ openssl x509 -subject -noout < usercert.pem subject= /DC=org/DC=cilogon/C=US/O=ProtectNetwork/CN=Jim Basney A685 As illustrated in the above example, if your identity provider does not yet support SAML ECP, you can register for a ProtectNetwork UserID and use your ProjectNetwork username and password for command-line authentication. |
|
|
|
|
ECP |