ECP stands for "Enhanced Client or Proxy", a SAML v.2.0 profile which allows for the exchange of SAML attributes outside the context of a web browser. Thus, ECP can be very useful for non-browser cyberinfrastructure applications (command-line, thick-client, etc.). Below are a few links describing the ECP profile in detail.
Note that your IdP must release the attributes required by CILogon for you to obtain a certificate. Please test that your IdP is releasing the needed attributes by visiting https://cilogon.org/testidp/. ECP at FermilabFermilab users should use the ECP for LIGOLIGO users should use the CILogon's ecp.pl scriptBelow is a Perl script which can fetch a certificate or PKCS12 credential from the CILogon Service.
ecp.pl -h " to see usage information.
The script relies on several Perl packages, all of which are available in CPAN or via the package manager for your O/S. If you receive an error message about SSL and Certificate Authorities, you may also need to install the Mozilla::CA Perl module. For example:
$ perl -MCPAN -e 'install Crypt::SSLeay' $ perl -MCPAN -e 'install Mozilla::CA'
The script also requires OpenSSL. If you have installed the ecp.pl examplesThe following transcript demonstrates how to use the ecp.pl script to obtain a short-lived (12 hour) certificate from CILogon on the command-line.$ curl -sSO https://cilogon.org/ecp.pl $ perl ecp.pl --get cert -c create -k userkey.pem -o usercert.pem -t 12 Select an Identity Provider (IdP): 1> Clemson University 2> LIGO Scientific Collaboration 3> LTER Network 4> Penn State University 5> ProtectNetwork 6> University of Chicago 7> University of Illinois at Urbana-Champaign 8> University of Michigan 9> University of Tennessee 10> University of Utah 11> University of Washington 12> University of Wisconsin-Madison 13> Specify the ECP endpoint URL of another ECP-enabled IdP Choose [7]: Enter a username for the Identity Provider: jbasney Enter a password for the Identity Provider: ******** $ openssl x509 -subject -noout < usercert.pem subject= /DC=org/DC=cilogon/C=US/O=University of Illinois at Urbana-Champaign/CN=James Basney A534The following transcript demonstrates how to use the ecp.pl script to obtain short-lived (12 hour) credentials for use with the Globus Toolkit. $ curl -sSO https://cilogon.org/ecp.pl $ perl ecp.pl --proxyfile --certreq create --lifetime 264 --vo "osg" --idpname "Urbana-Champaign" Enter a username for the Identity Provider: jbasney Enter a password for the Identity Provider: $ grid-proxy-info subject : /DC=org/DC=cilogon/C=US/O=University of Illinois at Urbana-Champaign/CN=James Basney A534 issuer : /DC=org/DC=cilogon/C=US/O=CILogon/CN=CILogon Basic CA 1 identity : /DC=org/DC=cilogon/C=US/O=University of Illinois at Urbana-Champaign/CN=James Basney A534 type : end entity credential strength : 2048 bits path : /tmp/x509up_u501 timeleft : 263:59:54 (11.0 days)The above example also illustrates how to specify your virtual organization and identity provider on the command-line. Technical Details
The following sequence diagram illustrates the network protocol used for CILogon's ECP support. The ecp.pl command-line interface performs HTTP Basic authentication (username/password) with the chosen SAML identity provider (IdP) to obtain a SAML authentication assertion for use with CILogon. CILogon never sees the user's password. |