Thanks John for your inputs. Will give it a try.
On Fri, Feb 10, 2017 at 11:19 AM, John Dennis <jdennis(a)redhat.com> wrote:
On 02/10/2017 12:59 PM, Jason B wrote:
> Hi,
>
> I am trying to work on SAML ECP profile. According to Keycloak's server
> administration documentation this SAML binding is supported. But when I
> configure IdP/SSO in metadata I am not seeing any description/meta
> specific
> to ECP binding. Any documentation available on how to use ECP profile in
> Keycloak?
>
> Also, while testing IdP initiated SSO/ SP initiated SSO,how can I inform
> Keycloak to use specific binding? Is there any query string parameter
> available that I can use?
>
ECP definitely works with Keycloak, we use all the time.
You want to use the SOAP endpoint, e.g.
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https:xxx/auth/realms/xxx/protocol/saml"
/>
You may not see this endpoint in your IdP metadata depending on how you
obtained the metadata from Keycloak. It always appears if you use the
/auth/realms/{realm}/protocol/saml/descriptor REST endpoint. But if you
use the "Installation" on the client to get the IDPSSODescriptor it won't
appear unless you configure the client to use the endpoint (keycloak only
populates HTTP-POST using this method). IMHO this inconsistency is broken,
but Bill disagrees (the fact the OP couldn't find the SOAP endpoint to me
is further evidence a client specific view of the IdP metadata is not a
good idea).
But back to the original question of how to use ECP with Keycloak. There
is very little you need to do in Keycloak. You only need to determine the
SOAP endpoint [1] and of course have the SP registered. Make sure PAOS
endpoint as it appears in the SP metadata is in the list of redirectURI's
for Keycloak's SP client. That's it.
Most of the configuration occurs in the ECP client. The ECP client must
know the SP as well as the Keycloak SOAP endpoint. Currently Keycloak only
supports basic and digest HTTP authentication with ECP.
[1] FWIW Keycloak uses the same endpoint for all bindings, however you
should not count on this, you should get the binding endpoint from the
metadata.
--
John