[keycloak-user] ECP example?

Carlos Villegas cav at uniscope.jp
Mon Oct 17 22:07:01 EDT 2016 

Hmm... I saw some classes in the adapters 2.2.1 code about ECP so I did 
some experiments.

If I set the adapter as a regular POST binding and then send the headers

Accept: application/vnd.paos+xml

PAOS: 
ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp

the SP seems to respond the right way with a  SOAP message that looks 
about right. Except it's not sending the Content-type header and then 
the Shibboleth java client I'm using to test doesn't react. I then 
patched the o.k.adapters.saml.profile.ecp.EcpAuthenticationHandler to 
set Content-Type: application/vnd.paos+xml and I get I little bit 
further. The client logins to the IDP and gets the tokens but after that 
it's not working. But at this point I don't know where the fault is, in 
the client or the SP. The client was not sending the right content type 
either to the IDP, which according to some other post, should be 
text/xml. I fixed that also on the client and seems to do the login now, 
I see the correct user attributes in the response. But after that it 
seems to get into some loop and I get some authentication error.

Are you saying the adapters' ECP support is not completely functional?

Thanks,
Carlos

On 10/18/2016 3:35 AM, Stian Thorgersen wrote:
> The client adapters doesn't support SAML ECP so you'd need to use a 
> different SAML SP library for that.
>
> On 14 October 2016 at 03:59, Carlos Villegas <cav at uniscope.jp 
> <mailto:cav at uniscope.jp>> wrote:
>
>     I want to secure a servlet REST application. My client is java, so far
>     I've been using apache httpclient.
>     The Keycloak docs mention SAML ECP binding is supported, but I
>     don't see
>     an example.
>     The admin pages seems to assume only POST or redirect binding.
>     Does the client adapter support ECP binding. Any pointers or help
>     on how
>     to go about it?
>     I need help on both the client adapter and how to use Keycloak as
>     a SAML
>     ECP IDP.
>
>     Thanks,
>     Carlos
>
>
>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>

More information about the keycloak-user mailing list