<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 29/04/16 13:15, May Marcus, Bedag
wrote:<br>
</div>
<blockquote
cite="mid:3835837561142448A72F035FFA6D0BAD010010F4B7@bisrv1040.ad.bedag.ch"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
<font face="Arial" size="2"><span style="font-size:10pt;">
<div style="margin-top:3pt;margin-bottom:3pt;">Hi, I would
like to propose an enhancement to the selection of an
federation provider (ldap with kerberos).</div>
<div style="margin-top:3pt;margin-bottom:3pt;"> </div>
<div style="margin-top:3pt;margin-bottom:3pt;">I tried to
register two federation providers (ldap with kerberos) to
support SSO for users in two different kerberos realms. The
problem is that only the first (according to attribute
priority) will be used to
authenticate the user. Authentication of users from the
other federation provider with kerberos does not work.</div>
<div style="margin-top:3pt;margin-bottom:3pt;"> </div>
<div style="margin-top:3pt;margin-bottom:3pt;">I think the
selection of the federation provider to use could be
improved in the code to solve this issue. I found the
following code fragment in
"org.keycloak.models.UserFederationManager.validCredentials(KeycloakSession,
RealmModel,
UserCredentialModel...)":</div>
<div style="margin-top:3pt;margin-bottom:3pt;"><font
face="Times New Roman" size="2"><span
style="font-size:11pt;"> </span></font></div>
<div style="margin-top:3pt;margin-bottom:3pt;">// Find first
provider, which supports required credential type</div>
<div style="margin-top:3pt;margin-bottom:3pt;">for
(UserFederationProvider fedProvider : fedProviders) {</div>
<div style="margin-top:3pt;margin-bottom:3pt;"> if
(fedProvider.getSupportedCredentialTypes().contains(cred.getType()))
{</div>
<div style="margin-top:3pt;margin-bottom:3pt;">
providerSupportingCreds = fedProvider;</div>
<div style="margin-top:3pt;margin-bottom:3pt;">
break;</div>
<div style="margin-top:3pt;margin-bottom:3pt;"> }</div>
<div style="margin-top:3pt;margin-bottom:3pt;">}</div>
<div style="margin-top:3pt;margin-bottom:3pt;"><font
face="Times New Roman" size="2"><span
style="font-size:11pt;"> </span></font></div>
<div>In case of kerberos the federation provider could be
chosen based on the kerberos realm in the ticket and the
configured kerberos realm.<br>
</div>
<div><font size="2"><span style="font-size:11pt;">Can I just
create an issue of type <font size="2"><span
style="font-size:10pt;">enhancement </span></font>in
jira?</span></font></div>
</span></font></blockquote>
<font size="2"><font face="Arial">Yes,<font face="Times New Roman">
feel free to create JIRA for that.</font></font></font><font
face="Times New Roman" size="2"><span style="font-size:11pt;"> <br>
<br>
Marek<br>
</span></font>
<blockquote
cite="mid:3835837561142448A72F035FFA6D0BAD010010F4B7@bisrv1040.ad.bedag.ch"
type="cite"><font face="Arial" size="2"><span
style="font-size:10pt;">
<div><font size="2"><span style="font-size:11pt;">Marcus</span></font></div>
<div style="margin-top:3pt;margin-bottom:3pt;"><font
face="Times New Roman" size="2"><span
style="font-size:11pt;"> </span></font></div>
<div style="margin-top:3pt;margin-bottom:3pt;"><font
face="Times New Roman" size="2"><span
style="font-size:11pt;"> </span></font></div>
</span></font>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</body>
</html>