ECP stands for "Enhanced Client or Proxy", a SAML v.2.0 profile which allows for the exchange of SAML attributes outside the context of a web browser. Thus, ECP can be very useful for non-browser cyberinfrastructure applications (command-line, thick-client, etc.). Below are a few links describing the ECP profile in detail.
Note that your IdP must release the attributes required by CILogon for you to obtain a certificate. Please test that your IdP is releasing the needed attributes by visiting https://cilogon.org/testidp/.
LIGO users should use the
The script relies on several Perl packages, all of which are available in CPAN or via the package manager for your O/S. If you receive an error message about SSL and Certificate Authorities, you may also need to install the Mozilla::CA Perl module. For example:
$ perl -MCPAN -e 'install Crypt::SSLeay' $ perl -MCPAN -e 'install Mozilla::CA'
The script also requires OpenSSL. If you have installed the
$ curl -sSO https://cilogon.org/ecp.pl $ perl ecp.pl --get cert -c create -k userkey.pem -o usercert.pem -t 12 Select an Identity Provider (IdP): 1> Clemson University 2> LIGO Scientific Collaboration 3> LTER Network 4> Penn State University 5> ProtectNetwork 6> University of Chicago 7> University of Illinois at Urbana-Champaign 8> University of Michigan 9> University of Tennessee 10> University of Utah 11> University of Washington 12> University of Wisconsin-Madison 13> Specify the ECP endpoint URL of another ECP-enabled IdP Choose : Enter a username for the Identity Provider: jbasney Enter a password for the Identity Provider: ******** $ openssl x509 -subject -noout < usercert.pem subject= /DC=org/DC=cilogon/C=US/O=University of Illinois at Urbana-Champaign/CN=James Basney A534The following transcript demonstrates how to use the ecp.pl script to obtain short-lived (12 hour) credentials for use with the Globus Toolkit.
$ curl -sSO https://cilogon.org/ecp.pl $ perl ecp.pl --proxyfile --certreq create --lifetime 264 --vo "osg" --idpname "Urbana-Champaign" Enter a username for the Identity Provider: jbasney Enter a password for the Identity Provider: $ grid-proxy-info subject : /DC=org/DC=cilogon/C=US/O=University of Illinois at Urbana-Champaign/CN=James Basney A534 issuer : /DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Basic CA 1 identity : /DC=org/DC=cilogon/C=US/O=University of Illinois at Urbana-Champaign/CN=James Basney A534 type : end entity credential strength : 2048 bits path : /tmp/x509up_u501 timeleft : 263:59:54 (11.0 days)The above example also illustrates how to specify your virtual organization and identity provider on the command-line.
testecp.sh script (modified from the original at shibboleth.net) provides a basic test for a SAML ECP enabled identity provider. Simply modify the parameters at the top of the script to match your identity provider and service provider configuration. To test your service provider using ProtectNetwork's IdP, you must first register your SP with ProtectNetwork.