[keycloak-user] SPNEGO with Keycloak

Raghuram prabhalar at yahoo.com
Mon Oct 13 11:35:46 EDT 2014



Sent from my iPhone

> On Oct 13, 2014, at 10:30 AM, Bill Burke <bburke at redhat.com> wrote:
> 
> 
> 
>> On 10/12/2014 8:53 PM, Travis De Silva wrote:
>> Bill - How about combining option 2 and 3. We use Keycloak as a bridge
>> between our application and Kerberos and then we also use Keycloak as a
>> backend identify store. The use case that I am thinking is that we use
>> the bridge only for SSO authentication and for authorization we can
>> assign users to roles in Keycloak and get all the other goodness of
>> Keycloak.
> 
> That works too.
> 
>> Also not sure why our application servers need to talk SAML or OpenID
>> Connect. If JBoss/Wildfly has support for Spengo.
> 
> Depends on if your kerberos server supports session management, single log out.  Again, I don't know enough about kerberos to answer that question
Session management with clustering on the key cloak side would be great
> 
>> I am thinking of something like if we configure our application in
>> Keycloak as requiring Spengo, then when a request is made to our
>> application, Keycloak will intercept it and respond with a 401 Access
>> Denied, WWW-Authenticate: Negotiate response. This in turn will trigger
>> the browser to re-send the HTTP GET request + the Negotiate SPNEGO Token
>> in an Authorization: Negotiate token header and Keycloak uses it to pass
>> it via the JBoss/Wildfly security domain.
>> 
>> As you can see, you don't really need to integrate all the way back to a
>> Kerberos server but only to JBoss/Wildfly. Yes this does not cover
>> all scenarios and is dependent on JBoss/Wildfly but at least this would
>> be a start for people who use the entire JBoss/Wildfly stack.
> 
> What you're describing, I think, is the bridge I want to build.  User get's authenticated via kerberos at the Keycloak server.  Application uses SAML or OpenID Connect and gets a token it can understand and use for REST invocations, etc.

Perfect. SAML and Openid connect compatibility is what even I am looking for as it will take care of current as well as future requirements. The only other feature that I would request is a hook (JAAS module?) to plugin other authentication systems like secureid in addition to SPNEGO. 

Bill - how about including this request  in your queue?

>> BTW, there also seem to be a Jira ticket pending for Spengo support in
>> WildFly. https://issues.jboss.org/browse/WFLY-2553 So not sure if
>> Wildfly still has Spengo support.
> 
> Might be true.   JBoss Negotiation might not have been ported to Undertow yet.
> 
> 
> 
> -- 
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com



More information about the keycloak-user mailing list