Re: [keycloak-user] SAML Binding - ECP Profile

On 02/10/2017 05:07 PM, Jason B wrote: > Quick question: Can keycloak act as ECP client? Or it need be some kind > of gateway/proxy server sitting in front of Service Provider > intercepting the requests going to service provider? I think you might be confused as to how ECP works. An ECP client sits *between* the SP and the IdP. An IdP such as Keycloak does not implement ECP, rather ECP is implemented in the ECP client. An IdP participates in an ECP flow by advertising a SingleSignOn SOAP binding protected by some form of HTTP authentication (typically basic and digest). The ECP client utilizes the IdP's SOAP binding. A good explanation of ECP and an example flow can be found in the SAML Technical overview in section 5.2: https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-o... The ECP specification give all the gory details: http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v...