[keycloak-dev] SSO does not work if more than one federation provider (ldap with kerberos) is registered
Marek Posolda
mposolda at redhat.com
Fri Apr 29 07:43:12 EDT 2016
On 29/04/16 13:15, May Marcus, Bedag wrote:
> Hi, I would like to propose an enhancement to the selection of an
> federation provider (ldap with kerberos).
> I tried to register two federation providers (ldap with kerberos) to
> support SSO for users in two different kerberos realms. The problem is
> that only the first (according to attribute priority) will be used to
> authenticate the user. Authentication of users from the other
> federation provider with kerberos does not work.
> I think the selection of the federation provider to use could be
> improved in the code to solve this issue. I found the following code
> fragment in
> "org.keycloak.models.UserFederationManager.validCredentials(KeycloakSession,
> RealmModel, UserCredentialModel...)":
> // Find first provider, which supports required credential type
> for (UserFederationProvider fedProvider : fedProviders) {
> if
> (fedProvider.getSupportedCredentialTypes().contains(cred.getType())) {
> providerSupportingCreds = fedProvider;
> break;
> }
> }
> In case of kerberos the federation provider could be chosen based on
> the kerberos realm in the ticket and the configured kerberos realm.
> Can I just create an issue of type enhancement in jira?
Yes,feel free to create JIRA for that.
Marek
> Marcus
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160429/30155134/attachment.html
More information about the keycloak-dev
mailing list