Quick question: Can keycloak act as ECP client? Or it need be some kind of
gateway/proxy server sitting in front of Service Provider intercepting the
requests going to service provider?
On Fri, Feb 10, 2017 at 12:25 PM, Jason B <jason(a)naidmincloud.com> wrote:
Thanks John for your inputs. Will give it a try.
On Fri, Feb 10, 2017 at 11:19 AM, John Dennis <jdennis(a)redhat.com> wrote:
> On 02/10/2017 12:59 PM, Jason B wrote:
>
>> Hi,
>>
>> I am trying to work on SAML ECP profile. According to Keycloak's server
>> administration documentation this SAML binding is supported. But when I
>> configure IdP/SSO in metadata I am not seeing any description/meta
>> specific
>> to ECP binding. Any documentation available on how to use ECP profile in
>> Keycloak?
>>
>> Also, while testing IdP initiated SSO/ SP initiated SSO,how can I inform
>> Keycloak to use specific binding? Is there any query string parameter
>> available that I can use?
>>
>
> ECP definitely works with Keycloak, we use all the time.
>
> You want to use the SOAP endpoint, e.g.
>
> <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
> Location="https:xxx/auth/realms/xxx/protocol/saml"
> />
>
> You may not see this endpoint in your IdP metadata depending on how you
> obtained the metadata from Keycloak. It always appears if you use the
> /auth/realms/{realm}/protocol/saml/descriptor REST endpoint. But if you
> use the "Installation" on the client to get the IDPSSODescriptor it
won't
> appear unless you configure the client to use the endpoint (keycloak only
> populates HTTP-POST using this method). IMHO this inconsistency is broken,
> but Bill disagrees (the fact the OP couldn't find the SOAP endpoint to me
> is further evidence a client specific view of the IdP metadata is not a
> good idea).
>
> But back to the original question of how to use ECP with Keycloak. There
> is very little you need to do in Keycloak. You only need to determine the
> SOAP endpoint [1] and of course have the SP registered. Make sure PAOS
> endpoint as it appears in the SP metadata is in the list of redirectURI's
> for Keycloak's SP client. That's it.
>
> Most of the configuration occurs in the ECP client. The ECP client must
> know the SP as well as the Keycloak SOAP endpoint. Currently Keycloak only
> supports basic and digest HTTP authentication with ECP.
>
> [1] FWIW Keycloak uses the same endpoint for all bindings, however you
> should not count on this, you should get the binding endpoint from the
> metadata.
>
> --
> John
>