Re: [keycloak-dev] Details on SAML Soap Binding support in Keycloak

On 12/07/2016 07:21 AM, Rashmi Singh wrote: > We have a requirement to setup a SAML SP that sends SOAP request to the > keycloak IDP which returns the SOAP response to the SAML SP. We would like > to know if keycloak supports this? We came across something called as ECP > that probably provides this support but cant find details on how to > use/implement it. Could you provide us with some pointers on this? > Yes Keycloak SOAP works, we use it in our environments to implement ECP. Also, are there any sample SP that we can use to send SOAP requests to IDP? > If not, any pointers on how to set this all up? > ECP is it's own client independent of the SP and IdP, it sits between the SP and IdP during the authentication flow. On the SP side the SP must know how process a request from an ECP client. The IdP only needs to know how process SOAP messages (which Keycloak does). The idea behind ECP is it is intended for non-browser clients which cannot perform the necessary redirects so instead the ECP client acts as a go-between shuttling messages between itself and the SP and between itself and the IdP. ECP transactions are relatively easy to implement. I have 2 scripts I use for testing ECP, one is a shell script and the other is a python script which uses the Lasso library (same library used by our mod_auth_mellon SP implementation, which also supports ECP). I can provide you with the scripts but they are meant for testing and would need some clean up for your environment. The Shibboleth SP also supports ECP but we do not support it (we only support mod_auth_mellon at the moment). If you could be more specific as to what the customer needs it would help focus the discussion. -- John