I am using Keycloak 2.3.0.Final at the moment. What I need is ECP for a
no browser scenario with brokering, i.e. multiple identity providers,
but I am not sure how to achieve it.
My service is secured by a Keycloak Servlet-Filter, which has a
Keycloak-Instance as identity provider. When I request a secured
resource like this
curl -H "Accept: text/html; application/vnd.paos+xml" -H 'PAOS:
ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp","urn:oasis:names:tc:SAML:2.0:cm:bearer'
http://localhost:8081/kvtg-keycloak-simple/Page
I get an authentication request:
<?xml version="1.0"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
xmlns:paos="urn:liberty:paos:2003-08"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<SOAP-ENV:Header>
<paos:Request
SOAP-ENV:actor="http://schemas.xmlsoap.org/soap/actor/next"
SOAP-ENV:mustUnderstand="1" responseConsumerURL=""
service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"/>
<ecp:Request IsPassive="0" ProviderName="DemoWebApp"
SOAP-ENV:actor="http://schemas.xmlsoap.org/soap/actor/next"
SOAP-ENV:mustUnderstand="1">
<saml:Issuer>DemoWebApp</saml:Issuer>
<samlp:IDPList>
<samlp:IDPEntry
Loc="http://localhost:8090/auth/realms/KVTG/protocol/saml" Name="idp2"
ProviderID="idp2"/>
</samlp:IDPList>
</ecp:Request>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<samlp:AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="http://localhost:8090/auth/realms/KVTG/protocol/saml"
ForceAuthn="false" ID="ID_a22e015f-d942-4f8c-a00f-6bb253d5657e"
IsPassive="false" IssueInstant="2016-12-22T09:00:45.957Z"
Version="2.0">
<saml:Issuer>DemoWebApp</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</samlp:AuthnRequest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
btw: the response does not conform to the SAML ECP Spec Section 2.3.2
(
http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v...)
since the element <paos:Request> does contain a valid
responseConsumerURL attribute.
When I send the <samlp:AuthnRequest> element within a SOAP envelope to
the SAML endpoint of the Keycloak realm from above, I receive a SAML
assertion.
curl -v -X POST -H "Content-Type: text/xml" -H '"SOAPAction:
""' -d
@authnrequest.xml -u mark:....
http://localhost:8080/auth/realms/KVTG/protocol/saml
At this point I am not sure which Java library I should use for the
clients and how to POST the assertion back to my service.
My main problem is how to configure multiple identity providers for ECP.
I configured multiple identity providers for the realm in the Keycloak
admin console and this works for web applications.
Is it possible that the Keycloak realm SAML endpoint responds somehow
with redirects to the already configured identity providers?
I tried to configure multiple identity providers for the servlet filter,
since the ECP spec allows for a list of these in the AuthnRequest
response. This did not work, in fact the xsd for the configuration file
allows for only one IDP element.
The latter approach seems to be more simple, but I would not get the
other features from the realm like attribute mapping, which I would get
maybe form the first approach.
What is the right way to configure multiple identity providers?
On 22/12/16 00:08, Pedro Igor Craveiro e Silva [via keycloak-user] wrote:
Did you try what we have today ? It should allow you to obtain SAML
assertions using the ECP profile already.
Or do you need something else that we don't yet support from the specs ?
Thanks.
On 12/21/2016 6:27:22 AM, mark <[hidden email]
</user/SendEmail.jtp?type=node&node=2096&i=0>> wrote:
Pedro Igor Craveiro e Silva wrote
> We do have some very basic support for ECP on the SP side. The
> implementation is really specific to Openstack use case and
> requirements.
>
> This capability is not advertised in any doc as we don't want people
> using it. In Keycloak we have some tests [1] for SAML ECP that use this
> stuff, but that is all. Just to make sure our IdP is aligned with
> Openstack.
Are there any plans for more ECP Support? I am just evaluating Keycloak and
made good progress with browser based applications but we will also need
ECP.
--
View this message in context:
http://keycloak-user.88327.x6.nabble.com/keycloak-user-ECP-example-tp1184...
Sent from the keycloak-user mailing list archive at
Nabble.com.
_______________________________________________
keycloak-user mailing list
[hidden email] </user/SendEmail.jtp?type=node&node=2096&i=1>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
[hidden email] </user/SendEmail.jtp?type=node&node=2096&i=2>
https://lists.jboss.org/mailman/listinfo/keycloak-user
------------------------------------------------------------------------
If you reply to this email, your message will be added to the discussion
below:
http://keycloak-user.88327.x6.nabble.com/keycloak-user-ECP-example-tp1184...
To unsubscribe from [keycloak-user] ECP example?, click here
<
http://keycloak-user.88327.x6.nabble.com/template/NamlServlet.jtp?macro=u...;.
NAML
<
http://keycloak-user.88327.x6.nabble.com/template/NamlServlet.jtp?macro=m...
--
View this message in context:
http://keycloak-user.88327.x6.nabble.com/keycloak-user-ECP-example-tp1184...
Sent from the keycloak-user mailing list archive at
Nabble.com.