On 02/10/2017 12:59 PM, Jason B wrote:
Hi,
I am trying to work on SAML ECP profile. According to Keycloak's server
administration documentation this SAML binding is supported. But when I
configure IdP/SSO in metadata I am not seeing any description/meta specific
to ECP binding. Any documentation available on how to use ECP profile in
Keycloak?
Also, while testing IdP initiated SSO/ SP initiated SSO,how can I inform
Keycloak to use specific binding? Is there any query string parameter
available that I can use?
ECP definitely works with Keycloak, we use all the time.
You want to use the SOAP endpoint, e.g.
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https:xxx/auth/realms/xxx/protocol/saml"
/>
You may not see this endpoint in your IdP metadata depending on how you
obtained the metadata from Keycloak. It always appears if you use the
/auth/realms/{realm}/protocol/saml/descriptor REST endpoint. But if you
use the "Installation" on the client to get the IDPSSODescriptor it
won't appear unless you configure the client to use the endpoint
(keycloak only populates HTTP-POST using this method). IMHO this
inconsistency is broken, but Bill disagrees (the fact the OP couldn't
find the SOAP endpoint to me is further evidence a client specific view
of the IdP metadata is not a good idea).
But back to the original question of how to use ECP with Keycloak. There
is very little you need to do in Keycloak. You only need to determine
the SOAP endpoint [1] and of course have the SP registered. Make sure
PAOS endpoint as it appears in the SP metadata is in the list of
redirectURI's for Keycloak's SP client. That's it.
Most of the configuration occurs in the ECP client. The ECP client must
know the SP as well as the Keycloak SOAP endpoint. Currently Keycloak
only supports basic and digest HTTP authentication with ECP.
[1] FWIW Keycloak uses the same endpoint for all bindings, however you
should not count on this, you should get the binding endpoint from the
metadata.
--
John