Spring Security SAML and ECP

Question

I have java web app using the Spring Security SAML extension (release 1.0), acting as an SP. This SP uses pre-configured metadata and it's worked fine for browser based clients. I'm now trying to add ECP support and I've added the following to the SP's extended metadata bean within the metadata bean:

<property name="ecpEnabled" value="true"/>

I make a GET request with the following as the header params:

Accept: application/vnd.paos+xml
PAOS: ver='urn:liberty:paos:2003-08';'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp'

My web app throws this exception:

HTTP Status 500 - org.opensaml.saml2.metadata.provider.MetadataProviderException: Service provider has no assertion consumer service available for the selected profile org.opensaml.saml2.metadata.impl.SPSSODescriptorImpl@7fe2dde8

...root cause...

org.opensaml.saml2.metadata.provider.MetadataProviderException: Service provider has no assertion consumer service available for the selected profile org.opensaml.saml2.metadata.impl.SPSSODescriptorImpl@7fe2dde8 org.springframework.security.saml.websso.WebSSOProfileImpl.getAssertionConsumerService(WebSSOProfileImpl.java:205) org.springframework.security.saml.websso.WebSSOProfileECPImpl.sendAuthenticationRequest(WebSSOProfileECPImpl.java:55) org.springframework.security.saml.SAMLEntryPoint.initializeECP(SAMLEntryPoint.java:185).....

So it looks like it's trying to start the ECP process but I don't understand why I'm getting this exception. I followed the Spring SAML documentation and it didn't mention anything about this in the ECP section.

Answer 1

Make sure that your SP metadata contains an endpoint with binding urn:oasis:names:tc:SAML:2.0:bindings:PAOS.

The metadata generation UI of Spring SAML sample application has a checkbox for its inclusion, or add it to the MetadataGenerator bean, using property bindingSSO, e.g.:

<property name="bindingsSSO">
    <list>
        <value>post</value>
        <value>artifact</value>
        <value>paos</value>
    </list>
</property>