[keycloak-dev] ArtifactResolve with Keycloak IDP
John Dennis
jdennis at redhat.com
Fri Dec 9 09:37:15 EST 2016
On 12/09/2016 06:30 AM, Rashmi Singh wrote:
> We have a requirement to implement a scenario where SP can send a SOAP
> request with ArtifactResolve to the keycloak IDP which in turn sends a SOAP
> response with user attribute back to the SP.
>
> The complete detailed scenario will be:
>
> 1) User sends login request
> 2) SP sends an HTTP Redirect to keycloak IDP
> 3) keycloak IDP authenticates the user
> 4) keycloak IDP sends Http redirect to AssertionConsumerService back to SP
> 5) SP sends SOAP request with ArtifactResolve to keycloak IDP
> 6) IDP sends SOAP Response with user attribute back to SP
>
> The first four steps is what we pretty much understand. I am not sure how
> to incorprate steps 5 and 6, that is: how to send SOAP request with
> ArtifactResolve to keyclaok IDP.
> what needs to be done on the keycloak side to support this and send back a
> SOAP response to SP with user attributes? Could you provide any pointers
> that would help us with this scenario
Answering your question needs more clarification, in part because I'm
not sure if when you say in step 2 "HTTP Redirect" you're being precise
or if you meant "SAML HTTP Redirect". If so I believe what you're
describing is SP-Initiated SSO with POST/Artifact Bindings described in
section 5.1.3 in SAML Technical Overview.
https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
But then in step 6 you say the response contains an attribute, not an
assertion which makes me wonder if you're really talking about SAML HTTP
Redirect followed by a attribute request on the IdP AttributeAuthority
AttributeService to request a specific attribute after authentication.
I presume you're talking about the former.
I'll let the Keycloak dev's speak directly as to their support. But a
good place to start and answer your question yourself is by looking at
the SAML services advertised in Keycloak's IdP metadata. There is no
ArtifactResolutionService so that eliminates using the POST/Artifact
binding, nor is there an AttributeAuthority so that eliminates
requesting attributes outside of an AuthnRequest. Also I'm pretty sure I
recall hearing in the past that artifacts are not supported.
None of these features are terribly difficult to implement once you have
basic SAML working in an IdP, they're just variants that use existing
code slightly differently.
As for your question regarding steps 5 & 6. What do you mean how do you
send a SOAP request? Either the SP has implemented it or it hasn't. FWIW
sending/receive SOAP messages are relatively trivial, all you do is
wrap/unwrap a SAML message in boilerplate XML.
--
John
More information about the keycloak-dev
mailing list