[keycloak-user] SAML Binding - ECP Profile
Bill Burke
bburke at redhat.com
Mon Feb 13 10:38:20 EST 2017
On 2/13/17 10:30 AM, John Dennis wrote:
> On 02/10/2017 05:07 PM, Jason B wrote:
>> Quick question: Can keycloak act as ECP client? Or it need be some kind
>> of gateway/proxy server sitting in front of Service Provider
>> intercepting the requests going to service provider?
> I think you might be confused as to how ECP works. An ECP client sits
> *between* the SP and the IdP. An IdP such as Keycloak does not implement
> ECP, rather ECP is implemented in the ECP client. An IdP participates in
> an ECP flow by advertising a SingleSignOn SOAP binding protected by some
> form of HTTP authentication (typically basic and digest). The ECP client
> utilizes the IdP's SOAP binding.
>
> A good explanation of ECP and an example flow can be found in the SAML
> Technical overview in section 5.2:
>
> https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
>
>
> The ECP specification give all the gory details:
>
> http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v2.0.html
>
And...after reading this spec you'll realize how much ECP sucks. Switch
to OAuth and bearer tokens...much simpler and easier on the client than
having to install a SOAP stack.
Bill
More information about the keycloak-user
mailing list