[keycloak-user] Feature Request: Better ECP Support for Service Provider

[Mark Schäfer]

Recently I tried to use SAML ECP (Enhanced Client Profile) with KeyCloak 
2.3.0.Final and the Tomcat 7 Adapter for a REST-Service. I am aware that 
the ECP Support on the SP side is not officially supported and was only 
implemented for Openstack integration.

Nevertheless I managed to receive a SAML authorization request from the 
SP, forwarding it to the single configured IP resulting in a SAML 
assertion. (With KeyCloak 2.5.0.Final the latter did not work anymore 
and I will post this bug? separately).

The biggest missing feature right now is the missing support for 
multiple IPs in the SP adapter configuration. ECP allows for multiple 
IPs in the first response containing the SAML authorization request.

I suggest to either enhance the SP adapter configuration to allow 
multiple IP elements and to enhance the adapter itself to handle SAML 
responses from either one of theese IPs.

Alternatively, It might be better to enhance KeyCloak itself to redirect 
the ECP SAML authorisation request to the configured IPs in the 
brokering section. This seems to be more complicated and I am not sure 
if SAML or ECP provide this workflow.


Background: the setup of my customer has a REST service as SP providing 
services for the users of 18+ different IPs, a default client 
implementation for this service and about 100 different REST client 
implementations by third party companies. All this takes places in the 
German public healthcare system. SAML is a given since a couple of years 
and the IPs have ample experience with SAML web applications. ECP will 
become mandantory in the coming months. As a consequence we need a solid 
ECP support on the SP side.