Thank for the detailed response. I agree with you.
Actually the requirement, I am trying to implement is IdP discovery
services. I want to find out a correct realm for a user based on use's
email address. Initially I thought it can be implemented using ECP profile
but later realized it is not the solution I am looking for.
Thinking of writing a UI service infront of keycloak to intercept the
incoming AuthN request (SP SSO) to capture the user's email address to
determine the correct realm IDP.
Did you come across similar scenario?
Thanks!
On Feb 13, 2017 9:13 PM, "Bill Burke" <bburke(a)redhat.com> wrote:
On 2/13/17 10:30 AM, John Dennis wrote:
> On 02/10/2017 05:07 PM, Jason B wrote:
>> Quick question: Can keycloak act as ECP client? Or it need be some kind
>> of gateway/proxy server sitting in front of Service Provider
>> intercepting the requests going to service provider?
> I think you might be confused as to how ECP works. An ECP client sits
> *between* the SP and the IdP. An IdP such as Keycloak does not implement
> ECP, rather ECP is implemented in the ECP client. An IdP participates in
> an ECP flow by advertising a SingleSignOn SOAP binding protected by some
> form of HTTP authentication (typically basic and digest). The ECP client
> utilizes the IdP's SOAP binding.
>
> A good explanation of ECP and an example flow can be found in the SAML
> Technical overview in section 5.2:
>
>
https://www.oasis-open.org/committees/download.php/27819/
sstc-saml-tech-overview-2.0-cd-02.pdf
>
>
> The ECP specification give all the gory details:
>
>
http://docs.oasis-open.org/security/saml/Post2.0/saml-
ecp/v2.0/saml-ecp-v2.0.html
>
And...after reading this spec you'll realize how much ECP sucks. Switch
to OAuth and bearer tokens...much simpler and easier on the client than
having to install a SOAP stack.
Bill
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user