diff --git a/release_notes/topics/18_0_0.adoc b/release_notes/topics/18_0_0.adoc
index cdea6be521..c2561ed014 100644
--- a/release_notes/topics/18_0_0.adoc
+++ b/release_notes/topics/18_0_0.adoc
@@ -67,6 +67,13 @@ There are more WebAuthn improvements and fixes in addition to that.
 For more details, see link:{adminguide_link}#_user_session_limits[{adminguide_name}].
 Thanks to https://github.com/mfdewit[Mauro de Wit] for the contribution.
 
+== SAML ECP Profile is disabled by default
+
+To mitigate the risk of abusing SAML ECP Profile, {project_name} now blocks
+this flow for all SAML clients that do not allow it explicitly. The profile
+can be enabled using _Allow ECP Flow_ flag within client configuration,
+see  link:{adminguide_link}#_client-saml-configuration[{adminguide_name}].
+
 == Quarkus distribution
 
 === Import realms at startup
diff --git a/server_admin/topics/clients/saml/proc-creating-saml-client.adoc b/server_admin/topics/clients/saml/proc-creating-saml-client.adoc
index 53275ce926..87139cdce6 100644
--- a/server_admin/topics/clients/saml/proc-creating-saml-client.adoc
+++ b/server_admin/topics/clients/saml/proc-creating-saml-client.adoc
@@ -72,6 +72,8 @@ This option is used when {project_name} server and adapter provide the IDP and S
 
 *Force Name ID Format*:: If a request has a name ID policy, ignore it and use the value configured in the Admin Console under *Name ID Format*.
 
+*Allow ECP Flow*:: If true, this application is allowed to use SAML ECP profile for authentication.
+
 *Name ID Format*:: The Name ID Format for the subject. This format is used if no name ID policy is specified in a request, or if the Force Name ID Format attribute is set to ON.
 
 *Root URL*:: When {project_name} uses a configured relative URL, this value is prepended to the URL.