[keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain

Marek Posolda mposolda at redhat.com
Mon Jan 28 15:07:05 EST 2019 

+1

GSSCredential is used just during SPNEGO authentication. You may 
possibly change the built-in authentication flows or userStorage 
provider, so that after verification with username/password, the 
GSSCredential will be somehow obtained from the JAAS Subject used for 
the authentication (See class KerberosUsernamePasswordAuthenticator for 
the details).

However I am not sure if this is really possible and it will require 
some more deep-dive into the Keycloak codebase and Kerberos 
implementation in JDK... Just a hint...

Marek

On 28/01/2019 07:21, Dmitry Telegin wrote:
> Hello Chris,
>
> AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP authentication.
>
> Cheers,
> Dmitry
>
> On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
>> Does anyone have feedback about getting a delegated GSSCredential?
>>
>> -----Original Message-----
>>> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Chris Smith
>> Sent: Wednesday, January 23, 2019 10:12 PM
>> To: keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain
>>
>> Here is a Diagram of what I'm trying to do
>>
>> From: Chris Smith
>> Sent: Wednesday, January 23, 2019 8:08 AM
>>>> To: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
>> Subject: Get a GSSCredential when user browser is not in Active Directory domain
>>
>> I have setup my servlet to authenticate a user my web app using Keycloak Active Directory ldap user federation
>>
>> I can get a Delegated GSSCredential when the SPNEGO enabled browser  runs on a workstation in the AD domain.
>> When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet.
>>
>> I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i.  My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
>>
>> Less than 1% of the users will be using browsers on workstations in the Active Directory domain.
>>
>> Can Keycloak put a GSSCredential for the logged in user  in the Access Token when SPNEGO is not available from the browser?
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list