On 11/27/2017 06:11 AM, Pieter Lukasse wrote:
I have Keycloak as an identity broker for the a SAML SSO service. Login via
the browser works great. Now, I want to call the APIs of the SP's
application directly using python or java. Are these steps documented
somewhere? Should my python script send 2 authentication requests (e.g.
first to Keycloak and then to the real IDP)?
The standard way to perform SAML authentication for command line clients
is to utilize the SAML ECP (Enhanced Client & Proxy) profile. ECP *must*
be supported on the SP, Keycloak already has the necessary components
for ECP and has been tested.
I have a couple of Python scripts that use ECP and Openstack uses ECP in
Python as well. However my ECP python code is not in a state for general
consumption. Writing an ECP client is not hard, I'd suggest it be
integrated with python-requests.
SAML2 Profile for ECP (Section 4.2) defines these steps for an ECP
1. ECP issues HTTP Request to SP
2. SP issues <AuthnRequest> to ECP using PAOS
3. ECP determines IdP
4. ECP conveys <AuthnRequest> to IdP using SOAP
5. IdP identifies principal
6. IdP issues <Response> to ECP, targeted at SP using SOAP
7. ECP conveys <Response> to SP using PAOS
8. SP grants or denies access to principal
Before you go much further you will want to make sure your SP supports
PAOS, this can easily be determined by examining the SP metadata and
looking for an ACS (Assertion Consumer Service) endpoint with the paos
binding. If your SP does not support PAOS you're likely limited to
browser based access only.