<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Arial" size="2"><span style="font-size:10pt;">
<div style="margin-top:3pt;margin-bottom:3pt;">Hi, I would like to propose an enhancement to the selection of an federation provider (ldap with kerberos).</div>
<div style="margin-top:3pt;margin-bottom:3pt;"> </div>
<div style="margin-top:3pt;margin-bottom:3pt;">I tried to register two federation providers (ldap with kerberos) to support SSO for users in two different kerberos realms. The problem is that only the first (according to attribute priority) will be used to
authenticate the user. Authentication of users from the other federation provider with kerberos does not work.</div>
<div style="margin-top:3pt;margin-bottom:3pt;"> </div>
<div style="margin-top:3pt;margin-bottom:3pt;">I think the selection of the federation provider to use could be improved in the code to solve this issue. I found the following code fragment in "org.keycloak.models.UserFederationManager.validCredentials(KeycloakSession,
RealmModel, UserCredentialModel...)":</div>
<div style="margin-top:3pt;margin-bottom:3pt;"><font face="Times New Roman" size="2"><span style="font-size:11pt;"> </span></font></div>
<div style="margin-top:3pt;margin-bottom:3pt;">// Find first provider, which supports required credential type</div>
<div style="margin-top:3pt;margin-bottom:3pt;">for (UserFederationProvider fedProvider : fedProviders) {</div>
<div style="margin-top:3pt;margin-bottom:3pt;"> if (fedProvider.getSupportedCredentialTypes().contains(cred.getType())) {</div>
<div style="margin-top:3pt;margin-bottom:3pt;"> providerSupportingCreds = fedProvider;</div>
<div style="margin-top:3pt;margin-bottom:3pt;"> break;</div>
<div style="margin-top:3pt;margin-bottom:3pt;"> }</div>
<div style="margin-top:3pt;margin-bottom:3pt;">}</div>
<div style="margin-top:3pt;margin-bottom:3pt;"><font face="Times New Roman" size="2"><span style="font-size:11pt;"> </span></font></div>
<div>In case of kerberos the federation provider could be chosen based on the kerberos realm in the ticket and the configured kerberos realm.<br>
</div>
<div><font size="2"><span style="font-size:11pt;">Can I just create an issue of type <font size="2"><span style="font-size:10pt;">enhancement </span></font>in jira?</span></font></div>
<div><font face="Times New Roman" size="2"><span style="font-size:11pt;"> </span></font></div>
<div><font size="2"><span style="font-size:11pt;">Marcus</span></font></div>
<div style="margin-top:3pt;margin-bottom:3pt;"><font face="Times New Roman" size="2"><span style="font-size:11pt;"> </span></font></div>
<div style="margin-top:3pt;margin-bottom:3pt;"><font face="Times New Roman" size="2"><span style="font-size:11pt;"> </span></font></div>
</span></font>
</body>
</html>