[keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain

Dmitry Telegin dt at acutus.pro
Mon Jan 28 01:21:06 EST 2019


Hello Chris,

AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP authentication.

Cheers,
Dmitry

On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
> Does anyone have feedback about getting a delegated GSSCredential?
> 
> -----Original Message-----
> > From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Chris Smith
> Sent: Wednesday, January 23, 2019 10:12 PM
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain
> 
> Here is a Diagram of what I'm trying to do
> 
> From: Chris Smith
> Sent: Wednesday, January 23, 2019 8:08 AM
> > > To: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
> Subject: Get a GSSCredential when user browser is not in Active Directory domain
> 
> I have setup my servlet to authenticate a user my web app using Keycloak Active Directory ldap user federation
> 
> I can get a Delegated GSSCredential when the SPNEGO enabled browser  runs on a workstation in the AD domain.
> When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet.
> 
> I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i.  My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
> 
> Less than 1% of the users will be using browsers on workstations in the Active Directory domain.
> 
> Can Keycloak put a GSSCredential for the logged in user  in the Access Token when SPNEGO is not available from the browser?
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list