[keycloak-user] SAML Binding - ECP Profile
John Dennis
jdennis at redhat.com
Mon Feb 13 14:40:33 EST 2017
On 02/13/2017 02:03 PM, Jason B wrote:
> Thank for the detailed response. I agree with you.
>
> Actually the requirement, I am trying to implement is IdP discovery
> services. I want to find out a correct realm for a user based on use's
> email address. Initially I thought it can be implemented using ECP profile
> but later realized it is not the solution I am looking for.
>
> Thinking of writing a UI service infront of keycloak to intercept the
> incoming AuthN request (SP SSO) to capture the user's email address to
> determine the correct realm IDP.
Huh? That doesn't make much sense. The SP *must* know a priori the
Keycloak realm because in Keycloak an IdP is owned by a realm. In
addition the SAML AuthnRequest *must* already include the Keycloak realm
in the request *and* the request *must* be sent to an binding endpoint
in the the Keycloak realm.
Further more any Keycloak deployment which permits sniffing SAML
messages is fundamentally broken (because it should be deployed using
TLS). Not to mention even if you bypassed TLS you still would not be
able to decrypt any SAML messages where the SP requires encryption
because you don't have access to the encryption key.
And yet another problem in your proposal is that an AuthnRequest does
not (necessarily) contain an email address. Depending on how the client
is configured it might supply an email address as an attribute in the
Assertion. AuthnRequest != Assertion.
There are other ways to perform IdP discovery.
--
John
More information about the keycloak-user
mailing list