[keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain
Chris Smith
chris.smith at cmfirstgroup.com
Wed Jan 23 09:11:40 EST 2019
Here is a Diagram of what I'm trying to do
From: Chris Smith
Sent: Wednesday, January 23, 2019 8:08 AM
To: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
Subject: Get a GSSCredential when user browser is not in Active Directory domain
I have setup my servlet to authenticate a user my web app using Keycloak Active Directory ldap user federation
I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a workstation in the AD domain.
When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet.
I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
Less than 1% of the users will be using browsers on workstations in the Active Directory domain.
Can Keycloak put a GSSCredential for the logged in user in the Access Token when SPNEGO is not available from the browser?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: FMS_SSO.png
Type: image/png
Size: 39969 bytes
Desc: FMS_SSO.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190123/3426c781/attachment-0001.png
More information about the keycloak-user
mailing list