[keycloak-user] SAML Binding - ECP Profile

Jason B jason at naidmincloud.com
Fri Feb 10 17:07:50 EST 2017


Quick question: Can keycloak act as ECP client? Or it need be some kind of
gateway/proxy server sitting in front of Service Provider intercepting the
requests going to service provider?

On Fri, Feb 10, 2017 at 12:25 PM, Jason B <jason at naidmincloud.com> wrote:

> Thanks John for your inputs. Will give it a try.
>
>
> On Fri, Feb 10, 2017 at 11:19 AM, John Dennis <jdennis at redhat.com> wrote:
>
>> On 02/10/2017 12:59 PM, Jason B wrote:
>>
>>> Hi,
>>>
>>> I am trying to work on SAML ECP profile. According to Keycloak's server
>>> administration documentation this SAML binding is supported. But when I
>>> configure IdP/SSO in metadata I am not seeing any description/meta
>>> specific
>>> to ECP binding. Any documentation available on how to use ECP profile in
>>> Keycloak?
>>>
>>> Also, while testing IdP initiated SSO/ SP initiated SSO,how can I inform
>>> Keycloak to use specific binding? Is there any query string parameter
>>> available that I can use?
>>>
>>
>> ECP definitely works with Keycloak, we use all the time.
>>
>> You want to use the SOAP endpoint, e.g.
>>
>> <SingleSignOnService
>>   Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
>>   Location="https:xxx/auth/realms/xxx/protocol/saml"
>> />
>>
>> You may not see this endpoint in your IdP metadata depending on how you
>> obtained the metadata from Keycloak. It always appears if you use the
>> /auth/realms/{realm}/protocol/saml/descriptor REST endpoint. But if you
>> use the "Installation" on the client to get the IDPSSODescriptor it won't
>> appear unless you configure the client to use the endpoint (keycloak only
>> populates HTTP-POST using this method). IMHO this inconsistency is broken,
>> but Bill disagrees (the fact the OP couldn't find the SOAP endpoint to me
>> is further evidence a client specific view of the IdP metadata is not a
>> good idea).
>>
>> But back to the original question of how to use ECP with Keycloak. There
>> is very little you need to do in Keycloak. You only need to determine the
>> SOAP endpoint [1] and of course have the SP registered. Make sure PAOS
>> endpoint as it appears in the SP metadata is in the list of redirectURI's
>> for Keycloak's SP client. That's it.
>>
>> Most of the configuration occurs in the ECP client. The ECP client must
>> know the SP as well as the Keycloak SOAP endpoint. Currently Keycloak only
>> supports basic and digest HTTP authentication with ECP.
>>
>> [1] FWIW Keycloak uses the same endpoint for all bindings, however you
>> should not count on this, you should get the binding endpoint from the
>> metadata.
>>
>> --
>> John
>>
>
>


More information about the keycloak-user mailing list