[keycloak-user] SAML Binding - ECP Profile
John Dennis
jdennis at redhat.com
Mon Feb 13 10:30:05 EST 2017
On 02/10/2017 05:07 PM, Jason B wrote:
> Quick question: Can keycloak act as ECP client? Or it need be some kind
> of gateway/proxy server sitting in front of Service Provider
> intercepting the requests going to service provider?
I think you might be confused as to how ECP works. An ECP client sits
*between* the SP and the IdP. An IdP such as Keycloak does not implement
ECP, rather ECP is implemented in the ECP client. An IdP participates in
an ECP flow by advertising a SingleSignOn SOAP binding protected by some
form of HTTP authentication (typically basic and digest). The ECP client
utilizes the IdP's SOAP binding.
A good explanation of ECP and an example flow can be found in the SAML
Technical overview in section 5.2:
https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
The ECP specification give all the gory details:
http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html
--
John
More information about the keycloak-user
mailing list