[keycloak-user] Feature Request: Better ECP Support for Service Provider

Stian Thorgersen sthorger at redhat.com
Wed Jan 4 07:29:46 EST 2017 

Outside OpenStack we haven't had much demand for ECP which is why it's not
been a priority to us. Please create JIRA issues for bugs and enhancements
you are looking for, but I can't promise anything with regards to when we
can look at it. Bugs affecting OpenStack is obviously something we'd look
at with higher priority. If you are able to contribute work including tests
we'd be more than happy to accept it.

On 4 January 2017 at 12:36, Mark Schäfer <mark.schaefer at markschaefer.de>
wrote:

> Recently I tried to use SAML ECP (Enhanced Client Profile) with KeyCloak
> 2.3.0.Final and the Tomcat 7 Adapter for a REST-Service. I am aware that
> the ECP Support on the SP side is not officially supported and was only
> implemented for Openstack integration.
>
> Nevertheless I managed to receive a SAML authorization request from the
> SP, forwarding it to the single configured IP resulting in a SAML
> assertion. (With KeyCloak 2.5.0.Final the latter did not work anymore
> and I will post this bug? separately).
>
> The biggest missing feature right now is the missing support for
> multiple IPs in the SP adapter configuration. ECP allows for multiple
> IPs in the first response containing the SAML authorization request.
>
> I suggest to either enhance the SP adapter configuration to allow
> multiple IP elements and to enhance the adapter itself to handle SAML
> responses from either one of theese IPs.
>
> Alternatively, It might be better to enhance KeyCloak itself to redirect
> the ECP SAML authorisation request to the configured IPs in the
> brokering section. This seems to be more complicated and I am not sure
> if SAML or ECP provide this workflow.
>
>
> Background: the setup of my customer has a REST service as SP providing
> services for the users of 18+ different IPs, a default client
> implementation for this service and about 100 different REST client
> implementations by third party companies. All this takes places in the
> German public healthcare system. SAML is a given since a couple of years
> and the IPs have ample experience with SAML web applications. ECP will
> become mandantory in the coming months. As a consequence we need a solid
> ECP support on the SP side.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list