[keycloak-user] SAML Binding - ECP Profile

Bill Burke bburke at redhat.com
Mon Feb 13 15:47:15 EST 2017


Why do you need multiple realms?  One Keycloak realm can federate 
multiple user stores (i.e. multiple LDAP servers).


On 2/13/17 2:03 PM, Jason B wrote:
> Thank for the detailed response. I agree with you.
>
> Actually the requirement, I am trying to implement is IdP discovery 
> services. I want to find out a correct realm for a user based on use's 
> email address. Initially I thought it can be implemented using ECP 
> profile but later realized it is not the solution I am looking for.
>
> Thinking of writing a UI service infront of keycloak to intercept the 
> incoming AuthN request (SP SSO) to capture the user's email address to 
> determine the correct realm IDP.
>
> Did you come across similar scenario?
>
> Thanks!
>
> On Feb 13, 2017 9:13 PM, "Bill Burke" <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>
>
>     On 2/13/17 10:30 AM, John Dennis wrote:
>     > On 02/10/2017 05:07 PM, Jason B wrote:
>     >> Quick question: Can keycloak act as ECP client? Or it need be
>     some kind
>     >> of gateway/proxy server sitting in front of Service Provider
>     >> intercepting the requests going to service provider?
>     > I think you might be confused as to how ECP works. An ECP client
>     sits
>     > *between* the SP and the IdP. An IdP such as Keycloak does not
>     implement
>     > ECP, rather ECP is implemented in the ECP client. An IdP
>     participates in
>     > an ECP flow by advertising a SingleSignOn SOAP binding protected
>     by some
>     > form of HTTP authentication (typically basic and digest). The
>     ECP client
>     > utilizes the IdP's SOAP binding.
>     >
>     > A good explanation of ECP and an example flow can be found in
>     the SAML
>     > Technical overview in section 5.2:
>     >
>     >
>     https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
>     <https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf>
>     >
>     >
>     > The ECP specification give all the gory details:
>     >
>     >
>     http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html
>     <http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html>
>     >
>
>     And...after reading this spec you'll realize how much ECP sucks.
>     Switch
>     to OAuth and bearer tokens...much simpler and easier on the client
>     than
>     having to install a SOAP stack.
>
>     Bill
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>



More information about the keycloak-user mailing list