[keycloak-dev] Details on SAML Soap Binding support in Keycloak

[John Dennis]

On 12/07/2016 07:21 AM, Rashmi Singh wrote:
> We have a requirement to setup a SAML SP that sends SOAP request to the
> keycloak IDP which returns the SOAP response to the SAML SP. We would like
> to know if keycloak supports this? We came across something called as ECP
> that probably provides this support but cant find details on how to
> use/implement it. Could you provide us with some pointers on this?

Yes Keycloak SOAP works, we use it in our environments to implement ECP.

> Also, are there any sample SP that we can use to send SOAP requests to IDP?
> If not, any pointers on how to set this all up?

ECP is it's own client independent of the SP and IdP, it sits between 
the SP and IdP during the authentication flow. On the SP side the SP 
must know how process a request from an ECP client. The IdP only needs 
to know how process SOAP messages (which Keycloak does). The idea behind 
ECP is it is intended for non-browser clients which cannot perform the 
necessary redirects so instead the ECP client acts as a go-between 
shuttling messages between itself and the SP and between itself and the 
IdP. ECP transactions are relatively easy to implement. I have 2 scripts 
I use for testing ECP, one is a shell script and the other is a python 
script which uses the Lasso library (same library used by our 
mod_auth_mellon SP implementation, which also supports ECP). I can 
provide you with the scripts but they are meant for testing and would 
need some clean up for your environment. The Shibboleth SP also supports 
ECP but we do not support it (we only support mod_auth_mellon at the 
moment).

If you could be more specific as to what the customer needs it would 
help focus the discussion.



-- 
John