AAF ECP Validator

AAF ECP Validator


This a validation service for AAF Identity Providers which have configured ECP as an authentication mechanism.

This is a demonstration / testing service, and MUST NOT be used by Service Providers to implement ECP.


The prerequisites below are reasonably technical in nature and are probably best handled by Identity Provider administrators.

To operate the ECP validator you must have the following prerequisites available to you:

  1. Access to a command line for executing the validation client. Linux or Mac OSX are the best candidates for this purpose. Windows users should be ok to run the test application but may have additional requirements then shown below;
  2. An installation of Python 2.7.5 or greater available on your PATH;
  3. A copy of the validation client aaf-ecp-validator.py downloaded from our Github repository at https://github.com/ausaccessfed/ecpvalidator/tree/develop/client;
  4. Your Identity Provider has been configured per the AAF technical guide to support ECP using Basic Auth as the authentication mechanism.

Testing your Identity Provider

  1. Ensure that you can successfully login to the Attribute Validator using your browser of choice. If there are any problems these must be fixed before continuing;
  2. Navigate to the list of Identity Providers within Federation Registry and find your Identity Providers listing (this should also be linked from your Federation Registry dashboard);
  3. Click on:
    SAML > Endpoints > Single Sign On Services
  4. Take a copy of the location for the ECP endpoint associated with your Identity Provider, this will be used next as <ssourl>.

    To help you identify the correct endpoint it should have the form: https://idp.university.edu.au/idp/profile/SAML2/SOAP/ECP

  5. Run the following command:

    $> python aaf-ecp-validator.py <ssourl> https://ecpvalidator.test.aaf.edu.au/validate <your username>

    You should recieve output similar to the following if all is well or a specific error message for your attention.

    $> python aaf-ecp-validator.py https://vho.test.aaf.edu.au/idp/profile/SAML2/SOAP/ECP https://ecpvalidator.test.aaf.edu.au/validate bradleybeddoes
    Enter password for login 'bradleybeddoes':
    The AAF ECP Validator was provided the following about your account via ECP session establishment:
    eduPersonTargetedID:          https://vho.test.aaf.edu.au/idp/shibboleth!https://ecpvalidator.test.aaf.edu.au/shibboleth!mHCYKXzzZGZMtSOJ090wfSpE0hA=
    displayName:                  Bradley Beddoes
    Notice: This is example data only. Real ECP clients will work with data received by the service provider installed as part of their service. All AAF defined attributes are available.
    Raw JSON response:
    {"service":{"name":"AAF ECP Validator","version":"0.2.1"},"subject":{"principal":"https://vho.test.aaf.edu.au/idp/shibboleth!https://ecpvalidator.test.aaf.edu.au/shibboleth!mHCYKXzzZGZMtSOJ090wfSpE0hA=","display_name":"Bradley Beddoes"},"notice":"This is example data only. Real ECP clients will work with data received by the service provider installed as part of their service. All AAF defined attributes are available."}
    ECP session completed.
  6. Should you have errors and need extra output add the -d flag for debug output immediently after the client name as follows:

    $> python aaf-ecp-validator.py -d <ssourl> https://ecpvalidator.test.aaf.edu.au/validate <your username>