6:21 a.m.
We have a requirement to setup a SAML SP that sends SOAP request to the
keycloak IDP which returns the SOAP response to the SAML SP. We would like
to know if keycloak supports this? We came across something called as ECP
that probably provides this support but cant find details on how to
use/implement it. Could you provide us with some pointers on this?
Also, are there any sample SP that we can use to send SOAP requests to IDP?
If not, any pointers on how to set this all up?
10:18 a.m.
On 12/07/2016 07:21 AM, Rashmi Singh wrote:
We have a requirement to setup a SAML SP that sends SOAP request to
the
keycloak IDP which returns the SOAP response to the SAML SP. We would like
to know if keycloak supports this? We came across something called as ECP
that probably provides this support but cant find details on how to
use/implement it. Could you provide us with some pointers on this?
Yes Keycloak SOAP works, we use it in our environments to implement ECP.
Also, are there any sample SP that we can use to send SOAP requests
to IDP?
If not, any pointers on how to set this all up?
ECP is it's own client independent of the SP and IdP, it sits between
the SP and IdP during the authentication flow. On the SP side the SP
must know how process a request from an ECP client. The IdP only needs
to know how process SOAP messages (which Keycloak does). The idea behind
ECP is it is intended for non-browser clients which cannot perform the
necessary redirects so instead the ECP client acts as a go-between
shuttling messages between itself and the SP and between itself and the
IdP. ECP transactions are relatively easy to implement. I have 2 scripts
I use for testing ECP, one is a shell script and the other is a python
script which uses the Lasso library (same library used by our
mod_auth_mellon SP implementation, which also supports ECP). I can
provide you with the scripts but they are meant for testing and would
need some clean up for your environment. The Shibboleth SP also supports
ECP but we do not support it (we only support mod_auth_mellon at the
moment).
If you could be more specific as to what the customer needs it would
help focus the discussion.
--
John
3:37 a.m.
Thanks John. Can you please provide me the scripts you mentioned? I can get
started with that.
On 7 Dec 2016 10:18, "John Dennis" <jdennis(a)redhat.com> wrote:
On 12/07/2016 07:21 AM, Rashmi Singh wrote:
> We have a requirement to setup a SAML SP that sends SOAP request to the
> keycloak IDP which returns the SOAP response to the SAML SP. We would like
> to know if keycloak supports this? We came across something called as ECP
> that probably provides this support but cant find details on how to
> use/implement it. Could you provide us with some pointers on this?
>
Yes Keycloak SOAP works, we use it in our environments to implement ECP.
Also, are there any sample SP that we can use to send SOAP requests to IDP?
> If not, any pointers on how to set this all up?
>
ECP is it's own client independent of the SP and IdP, it sits between the
SP and IdP during the authentication flow. On the SP side the SP must know
how process a request from an ECP client. The IdP only needs to know how
process SOAP messages (which Keycloak does). The idea behind ECP is it is
intended for non-browser clients which cannot perform the necessary
redirects so instead the ECP client acts as a go-between shuttling messages
between itself and the SP and between itself and the IdP. ECP transactions
are relatively easy to implement. I have 2 scripts I use for testing ECP,
one is a shell script and the other is a python script which uses the Lasso
library (same library used by our mod_auth_mellon SP implementation, which
also supports ECP). I can provide you with the scripts but they are meant
for testing and would need some clean up for your environment. The
Shibboleth SP also supports ECP but we do not support it (we only support
mod_auth_mellon at the moment).
If you could be more specific as to what the customer needs it would help
focus the discussion.
--
John
7:08 p.m.
Just a reminder if you could send across the 2 scripts that you mentioned
you use for testing ECP. Also, any instructions on how to setup and
modifications needed on the IDP and SP to make it work will be very useful
too.
On Thu, Dec 8, 2016 at 3:37 AM, Rashmi Singh <singhrasster(a)gmail.com> wrote:
Thanks John. Can you please provide me the scripts you mentioned? I
can
get started with that.
On 7 Dec 2016 10:18, "John Dennis" <jdennis(a)redhat.com> wrote:
> On 12/07/2016 07:21 AM, Rashmi Singh wrote:
>
>> We have a requirement to setup a SAML SP that sends SOAP request to the
>> keycloak IDP which returns the SOAP response to the SAML SP. We would
>> like
>> to know if keycloak supports this? We came across something called as ECP
>> that probably provides this support but cant find details on how to
>> use/implement it. Could you provide us with some pointers on this?
>>
>
> Yes Keycloak SOAP works, we use it in our environments to implement ECP.
>
> Also, are there any sample SP that we can use to send SOAP requests to
>> IDP?
>> If not, any pointers on how to set this all up?
>>
>
> ECP is it's own client independent of the SP and IdP, it sits between the
> SP and IdP during the authentication flow. On the SP side the SP must know
> how process a request from an ECP client. The IdP only needs to know how
> process SOAP messages (which Keycloak does). The idea behind ECP is it is
> intended for non-browser clients which cannot perform the necessary
> redirects so instead the ECP client acts as a go-between shuttling messages
> between itself and the SP and between itself and the IdP. ECP transactions
> are relatively easy to implement. I have 2 scripts I use for testing ECP,
> one is a shell script and the other is a python script which uses the Lasso
> library (same library used by our mod_auth_mellon SP implementation, which
> also supports ECP). I can provide you with the scripts but they are meant
> for testing and would need some clean up for your environment. The
> Shibboleth SP also supports ECP but we do not support it (we only support
> mod_auth_mellon at the moment).
>
> If you could be more specific as to what the customer needs it would help
> focus the discussion.
>
>
>
> --
> John
>
2883
days inactive
2888
days old
3 comments
2 participants
participants (2)
-
John Dennis -
Rashmi Singh