[keycloak-dev] Details on SAML Soap Binding support in Keycloak

Rashmi Singh singhrasster at gmail.com
Sun Dec 11 20:08:40 EST 2016 

Just a reminder if you could send across the 2 scripts that you mentioned
you use for testing ECP. Also, any instructions on how to setup and
modifications needed on the IDP and SP to make it work will be very useful
too.

On Thu, Dec 8, 2016 at 3:37 AM, Rashmi Singh <singhrasster at gmail.com> wrote:

> Thanks John. Can you please provide me the scripts you mentioned? I can
> get started with that.
>
> On 7 Dec 2016 10:18, "John Dennis" <jdennis at redhat.com> wrote:
>
>> On 12/07/2016 07:21 AM, Rashmi Singh wrote:
>>
>>> We have a requirement to setup a SAML SP that sends SOAP request to the
>>> keycloak IDP which returns the SOAP response to the SAML SP. We would
>>> like
>>> to know if keycloak supports this? We came across something called as ECP
>>> that probably provides this support but cant find details on how to
>>> use/implement it. Could you provide us with some pointers on this?
>>>
>>
>> Yes Keycloak SOAP works, we use it in our environments to implement ECP.
>>
>> Also, are there any sample SP that we can use to send SOAP requests to
>>> IDP?
>>> If not, any pointers on how to set this all up?
>>>
>>
>> ECP is it's own client independent of the SP and IdP, it sits between the
>> SP and IdP during the authentication flow. On the SP side the SP must know
>> how process a request from an ECP client. The IdP only needs to know how
>> process SOAP messages (which Keycloak does). The idea behind ECP is it is
>> intended for non-browser clients which cannot perform the necessary
>> redirects so instead the ECP client acts as a go-between shuttling messages
>> between itself and the SP and between itself and the IdP. ECP transactions
>> are relatively easy to implement. I have 2 scripts I use for testing ECP,
>> one is a shell script and the other is a python script which uses the Lasso
>> library (same library used by our mod_auth_mellon SP implementation, which
>> also supports ECP). I can provide you with the scripts but they are meant
>> for testing and would need some clean up for your environment. The
>> Shibboleth SP also supports ECP but we do not support it (we only support
>> mod_auth_mellon at the moment).
>>
>> If you could be more specific as to what the customer needs it would help
>> focus the discussion.
>>
>>
>>
>> --
>> John
>>
>

More information about the keycloak-dev mailing list