[keycloak-user] FW: Get a GSSCredential when user browser is not in Active Directory domain

Chris Smith chris.smith at cmfirstgroup.com
Mon Jan 28 06:36:36 EST 2019 



Thank you Dmitry

My Keycloak realm is setup for LDAP/Kerberos authentication with a Windows Active Directory domain.

So I am getting a delegated GSSCredential in my AccessToken when I access my Web App from a properly configured browser (SPNEGO) on a workstation in the Windows Active Directory Domain.

If the browser is not configured for SPNEGO or the workstation is not a member of the Windows Active Directory Domain, The browser is redirected to the Keycloak log in page After entering a correct user and password, the browser is redirected back to the Web App.
This step is what I need to successfully authenticate a Windows AD User ID/password combination and it works.
My problem is there is no claim in the AccessToken for a GSSCredential.

I have an absolute requirement for a GSSCredential for that Windows AD User ID/Password.  

The GSSCredential is to be used in the web app to connect to an IBM i (aka AS/400) for calling RPG and COBOL programs.
The IBM i is Configured to accept the GSSCredential and it works when the workstation is a member of the Windows AD domain and the browser is configured for SPNEGO.

Can Keycloak be configured to put a GSSCredential in the AccessToken when Keycloak authenticates the Windows AD User id/Password?

If not, would it be a large effort to add a plugin that would put a GSSCredential in the AccessToken?

-----Original Message-----
From: Dmitry Telegin <dt at acutus.pro>
Sent: Monday, January 28, 2019 2:21 PM
To: Chris Smith <chris.smith at cmfirstgroup.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain

Hello Chris,

AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP authentication.

Cheers,
Dmitry

On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
> Does anyone have feedback about getting a delegated GSSCredential?
> 
> -----Original Message-----
> > From: keycloak-user-bounces at lists.jboss.org 
> > <keycloak-user-bounces at lists.jboss.org> On Behalf Of Chris Smith
> Sent: Wednesday, January 23, 2019 10:12 PM
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is 
> not in Active Directory domain
> 
> Here is a Diagram of what I'm trying to do
> 
> From: Chris Smith
> Sent: Wednesday, January 23, 2019 8:08 AM
> > > To: 'keycloak-user at lists.jboss.org' 
> > > <keycloak-user at lists.jboss.org>
> Subject: Get a GSSCredential when user browser is not in Active 
> Directory domain
> 
> I have setup my servlet to authenticate a user my web app using 
> Keycloak Active Directory ldap user federation
> 
> I can get a Delegated GSSCredential when the SPNEGO enabled browser  runs on a workstation in the AD domain.
> When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet.
> 
> I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i.  My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
> 
> Less than 1% of the users will be using browsers on workstations in the Active Directory domain.
> 
> Can Keycloak put a GSSCredential for the logged in user  in the Access Token when SPNEGO is not available from the browser?
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list