Reputation: 4179
How to configure Keycloak with SAML ECP profile
I'm implementing an SSO authentication flow using SAML for a web server running tomcat. Everything is working ok when using POST or Redirect bindings, but from what I've read to support the SAML authentication in front of a REST API I need to also configure and use an ECP profile.
First correct me if I'm wrong but the ECP flow should be like this:
- Client accesses the SP REST API
- Client knows he needs to authenticate so he sets up the required ECP headers (
Accept: application/vnd.paos+xmlandPAOS: urn:liberty:paos:2003-08;urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp)
- Client knows he needs to authenticate so he sets up the required ECP headers (
- SP sees client is not authenticated and returns a SOAP Envelop containing PAOS Request.
- The client is responsible to send this to the appropriate IdP on its ECP consumer service.
- The IdP challenges the client for authentication
- The IdP returns a response in the form of another SOAP Envelop, containing the saml Response in its body
- The client must send this response to SP's ECP/SOAP assertion consumer service
The problem is all of this works until step 6. On this step I have the problem, that the Body of the response envelop contains a Destination attribute, which points to the POST assertion consumer service of the SP. This destination attribute is set by keycloak and mismatches the actual ECP service that I want to send the response to. The SAML library we are using is opensaml and it checks the request URI against this Destination attribute and if they do not match it throws an exception org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint.
I understand why this exception is thrown, but cannot understand how I can configure Keycloak with the ECP/SOAP service of the SP. In Keycloak's admin console I can only configure the URLs for SSO POST/Redirect and SLO POST/Redirect, but nothing about ECP.
I'm currently in the process of configuring another IdP, but I would really like to make sure that Keycloak can also be a supported server for our solution.
Upvotes: 5
Views: 2308
Answers (1)
Reputation: 21
Can't you just read the paos:Request responseConsumerURL and post the idp response to that url?
At least, that's how I managed to do it.
Upvotes: 1
Related Questions
- Problem with Keycloak and logout from SAML identity provider
- Keycloak as a Service Provider - setting up a signing certificate
- Keycloak: Invalid SAML Response by External IdP
- Configuring keycloak saml from the command line
- Connecting keycloak with Active Directory with SAML IDP sends empty response
- how to get saml-metadata for keycloak as sp with certificate
- Setting AuthnContextClassRef in Keycloak
- How to allow Single Sign-On for al clients in keycloak
- SAML certificate, private-key
- Keycloak "Unexpected error when handling authentication request to identity provider"