[keycloak-dev] SSO does not work if more than one federation provider (ldap with kerberos) is registered

[May Marcus, Bedag]

Hi, I would like to propose an enhancement to the selection of an federation provider (ldap with kerberos).

I tried to register two federation providers (ldap with kerberos) to support SSO for users in two different kerberos realms. The problem is that only the first (according to attribute priority) will be used to authenticate the user. Authentication of users from the other federation provider with kerberos does not work.

I think the selection of the federation provider to use could be improved in the code to solve this issue. I found the following code fragment in "org.keycloak.models.UserFederationManager.validCredentials(KeycloakSession, RealmModel, UserCredentialModel...)":

// Find first provider, which supports required credential type
for (UserFederationProvider fedProvider : fedProviders) {
        if (fedProvider.getSupportedCredentialTypes().contains(cred.getType())) {
                providerSupportingCreds = fedProvider;
                break;
        }
}

In case of kerberos the federation provider could be chosen based on the kerberos realm in the ticket and the configured kerberos realm.

Can I just create an issue of type enhancement in jira?

Marcus


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160429/1f182334/attachment-0001.html