[keycloak-user] SAML securing application via browser / REST API via ECP on wildfly

John Dennis jdennis at redhat.com
Thu Apr 11 12:18:13 EDT 2019 

On 4/11/19 5:07 AM, Manuel Waltschek wrote:
> Hello KC Community!
> 
> We are currently securing our war via browser SSO with SAML. We are deploying on wildfly 10 and are using keycloak as an IdP broker.
> We have the requirement to also secure a REST endpoint which is invoked by a thrid party. I read about ECP shortly in KC docs and some forum discussions, but I could not find out how to set this up. It is also unclear if keycloak even supports this feature. If not ECP, are there any other known ways to support this behaviour?

Keycloak supports ECP. But from you description it's not clear if you 
understand the ECP use case. ECP is meant for non-browser (e.g. use 
without a user agent) authentication. Typically this means command-line 
tools. The ECP SAML profile requires 3 cooperating parties to be ECP aware:

1) A relying party (typically a web resource, often referred to as 
Service Provider, i.e. SP). In your case this is where the REST endpoint 
exists. Usually this means an HTTP server such as Apache with a SAML 
module loaded, or it could be the JBoss Undertow server part of Wildfly 
(although I have no personal knowledge of the SAML support in Undertow, 
others here are probably much more familiar with this).

2) An ECP client, e.g. the command line tool or other non-browser 
implementation.

3) A SAML assertion provider (e.g. IdP), this would be Keycloak in this 
instance.

The ECP flow works like this: The ECP client requests a resource on the 
SP (REST endpoint), it indicates it wants ECP. The SP returns a SOAP 
document to the ECP client containing an authentication request. The ECP 
client forwards the authentication request to the IdP (e.g. Keycloak) 
along with authentication credentials (recall ECP is meant for 
non-interactive use). The IdP returns the authentication result (i.e. 
SAML Assertion) to the ECP client. The ECP client then forwards it to 
the SP. The SP will then return the original requested resource. Note, 
this is a simplified explanation.

Hopefully you can see from this description that the fact the protected 
resource is a REST endpoint or the fact it's invoked by a third party 
has little bearing on the choice of using the ECP SAML profile. Rather I 
think what you're looking for is how to perform delegation, a different 
topic.


-- 
John Dennis

More information about the keycloak-user mailing list