[keycloak-user] ECP example?

Stian Thorgersen sthorger at redhat.com
Tue Oct 18 01:21:24 EDT 2016 

AFAIK we have no support for ECP in the adapters. Pedro can you comment?

On 18 October 2016 at 04:07, Carlos Villegas <cav at uniscope.jp> wrote:

> Hmm... I saw some classes in the adapters 2.2.1 code about ECP so I did
> some experiments.
>
> If I set the adapter as a regular POST binding and then send the headers
>
> Accept: application/vnd.paos+xml
>
> PAOS:
> ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:
> profiles:SSO:ecp
>
> the SP seems to respond the right way with a  SOAP message that looks
> about right. Except it's not sending the Content-type header and then
> the Shibboleth java client I'm using to test doesn't react. I then
> patched the o.k.adapters.saml.profile.ecp.EcpAuthenticationHandler to
> set Content-Type: application/vnd.paos+xml and I get I little bit
> further. The client logins to the IDP and gets the tokens but after that
> it's not working. But at this point I don't know where the fault is, in
> the client or the SP. The client was not sending the right content type
> either to the IDP, which according to some other post, should be
> text/xml. I fixed that also on the client and seems to do the login now,
> I see the correct user attributes in the response. But after that it
> seems to get into some loop and I get some authentication error.
>
> Are you saying the adapters' ECP support is not completely functional?
>
> Thanks,
> Carlos
>
> On 10/18/2016 3:35 AM, Stian Thorgersen wrote:
> > The client adapters doesn't support SAML ECP so you'd need to use a
> > different SAML SP library for that.
> >
> > On 14 October 2016 at 03:59, Carlos Villegas <cav at uniscope.jp
> > <mailto:cav at uniscope.jp>> wrote:
> >
> >     I want to secure a servlet REST application. My client is java, so
> far
> >     I've been using apache httpclient.
> >     The Keycloak docs mention SAML ECP binding is supported, but I
> >     don't see
> >     an example.
> >     The admin pages seems to assume only POST or redirect binding.
> >     Does the client adapter support ECP binding. Any pointers or help
> >     on how
> >     to go about it?
> >     I need help on both the client adapter and how to use Keycloak as
> >     a SAML
> >     ECP IDP.
> >
> >     Thanks,
> >     Carlos
> >
> >
> >
> >
> >
> >     _______________________________________________
> >     keycloak-user mailing list
> >     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >     https://lists.jboss.org/mailman/listinfo/keycloak-user
> >     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list