[keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain
Chris Smith
chris.smith at cmfirstgroup.com
Wed Jan 23 09:08:02 EST 2019
I have setup my servlet to authenticate a user my web app using Keycloak Active Directory ldap user federation
I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a workstation in the AD domain.
When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet.
I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
Less than 1% of the users will be using browsers on workstations in the Active Directory domain.
Can Keycloak put a GSSCredential for the logged in user in the Access Token when SPNEGO is not available from the browser?
More information about the keycloak-user
mailing list