[keycloak-user] ECP example?

Pedro Igor Craveiro e Silva psilva at redhat.com
Tue Oct 18 07:12:05 EDT 2016


We do have some very basic support for ECP on the SP side. The
implementation is really specific to Openstack use case and
requirements.

This capability is not advertised in any doc as we don't want people
using it. In Keycloak we have some tests [1] for SAML ECP that use this
stuff, but that is all. Just to make sure our IdP is aligned with
Openstack.

[1] https://github.com/keycloak/keycloak/blob/master/testsuite/integrat
ion/src/test/java/org/keycloak/testsuite/saml/SamlEcpProfileTest.java#L
91

On Tue, 2016-10-18 at 07:21 +0200, Stian Thorgersen wrote:
> AFAIK we have no support for ECP in the adapters. Pedro can you
> comment?
> 
> On 18 October 2016 at 04:07, Carlos Villegas <cav at uniscope.jp> wrote:
> > Hmm... I saw some classes in the adapters 2.2.1 code about ECP so I
> > did
> > some experiments.
> > 
> > If I set the adapter as a regular POST binding and then send the
> > headers
> > 
> > Accept: application/vnd.paos+xml
> > 
> > PAOS:
> > ver="urn:liberty:paos:2003-
> > 08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp
> > 
> > the SP seems to respond the right way with a  SOAP message that
> > looks
> > about right. Except it's not sending the Content-type header and
> > then
> > the Shibboleth java client I'm using to test doesn't react. I then
> > patched the o.k.adapters.saml.profile.ecp.EcpAuthenticationHandler
> > to
> > set Content-Type: application/vnd.paos+xml and I get I little bit
> > further. The client logins to the IDP and gets the tokens but after
> > that
> > it's not working. But at this point I don't know where the fault
> > is, in
> > the client or the SP. The client was not sending the right content
> > type
> > either to the IDP, which according to some other post, should be
> > text/xml. I fixed that also on the client and seems to do the login
> > now,
> > I see the correct user attributes in the response. But after that
> > it
> > seems to get into some loop and I get some authentication error.
> > 
> > Are you saying the adapters' ECP support is not completely
> > functional?
> > 
> > Thanks,
> > Carlos
> > 
> > On 10/18/2016 3:35 AM, Stian Thorgersen wrote:
> > > The client adapters doesn't support SAML ECP so you'd need to use
> > a
> > > different SAML SP library for that.
> > >
> > > On 14 October 2016 at 03:59, Carlos Villegas <cav at uniscope.jp
> > > <mailto:cav at uniscope.jp>> wrote:
> > >
> > >     I want to secure a servlet REST application. My client is
> > java, so far
> > >     I've been using apache httpclient.
> > >     The Keycloak docs mention SAML ECP binding is supported, but
> > I
> > >     don't see
> > >     an example.
> > >     The admin pages seems to assume only POST or redirect
> > binding.
> > >     Does the client adapter support ECP binding. Any pointers or
> > help
> > >     on how
> > >     to go about it?
> > >     I need help on both the client adapter and how to use
> > Keycloak as
> > >     a SAML
> > >     ECP IDP.
> > >
> > >     Thanks,
> > >     Carlos
> > >
> > >
> > >
> > >
> > >
> > >     _______________________________________________
> > >     keycloak-user mailing list
> > >     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jbo
> > ss.org>
> > >     https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> > >
> > >
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
-- 
Pedro Igor


More information about the keycloak-user mailing list