[keycloak-user] SAML Binding - ECP Profile

John Dennis jdennis at redhat.com
Fri Feb 10 14:19:00 EST 2017 

On 02/10/2017 12:59 PM, Jason B wrote:
> Hi,
>
> I am trying to work on SAML ECP profile. According to Keycloak's server
> administration documentation this SAML binding is supported. But when I
> configure IdP/SSO in metadata I am not seeing any description/meta specific
> to ECP binding. Any documentation available on how to use ECP profile in
> Keycloak?
>
> Also, while testing IdP initiated SSO/ SP initiated SSO,how can I inform
> Keycloak to use specific binding? Is there any query string parameter
> available that I can use?

ECP definitely works with Keycloak, we use all the time.

You want to use the SOAP endpoint, e.g.

<SingleSignOnService
   Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
   Location="https:xxx/auth/realms/xxx/protocol/saml"
/>

You may not see this endpoint in your IdP metadata depending on how you 
obtained the metadata from Keycloak. It always appears if you use the 
/auth/realms/{realm}/protocol/saml/descriptor REST endpoint. But if you 
use the "Installation" on the client to get the IDPSSODescriptor it 
won't appear unless you configure the client to use the endpoint 
(keycloak only populates HTTP-POST using this method). IMHO this 
inconsistency is broken, but Bill disagrees (the fact the OP couldn't 
find the SOAP endpoint to me is further evidence a client specific view 
of the IdP metadata is not a good idea).

But back to the original question of how to use ECP with Keycloak. There 
is very little you need to do in Keycloak. You only need to determine 
the SOAP endpoint [1] and of course have the SP registered. Make sure 
PAOS endpoint as it appears in the SP metadata is in the list of 
redirectURI's for Keycloak's SP client. That's it.

Most of the configuration occurs in the ECP client. The ECP client must 
know the SP as well as the Keycloak SOAP endpoint. Currently Keycloak 
only supports basic and digest HTTP authentication with ECP.

[1] FWIW Keycloak uses the same endpoint for all bindings, however you 
should not count on this, you should get the binding endpoint from the 
metadata.

-- 
John

More information about the keycloak-user mailing list