<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div><span>Well, without support for external authentication, I am wondering how big organizations that have already invested in Kerberos/SecurID etc, would use this product? Typically, the Federation products like Ping,OpenAM etc provide hooks for multiple stores to:</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span>1) Support Kerberos or SecureID or other authentication and retrieve the user principal </span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span>2) Retrieve user
meta data from LDAP using that principal and </span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span>3) Use the user meta data to customize the claims or userinfo.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span>I was hoping to see the above features in this product, given that Keycloak already supports OpenID Connect (along with support for CORS, javascript and future support for mobile devices) and it can act as an
Identity provider (OP). Perhaps Keycloak can synchronize all the user information from stores like LDAP but it would still need a hook to plug in external authentication</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span>BTW I suggested realm to authetication mapping because different applications in an organization have different authentication requirements (some apps require SecuriID,some Kerberos etc) and those applications can be mapped to the realm that uses an authentication mechanism that they require.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px;
font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span><br></span></div><div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 16px;"> <div dir="ltr"> <font size="2" face="Arial"> On Saturday, October 11, 2014 10:29 AM, Bill Burke <bburke@redhat.com> wrote:<br> </font> </div> <br><br> <div class="y_msg_container">What you describe would work only if you treat Keycloak solely as an <br>identity store and wrote a login module that uses Keycloak admin <br>interface to obtain principal and role mapping information. Then there <br>is the issue of getting the Kerberos server and
Keycloak using the same <br>user database. Then for this particular idea, you start to wonder if <br>using Keycloak is any benefit.<br><br>On 10/11/2014 9:54 AM, prab rrrr wrote:<br>> Wildfly makes a number of login modules available as a part of the<br>> Security sub system that include SPNEGO (see the link below). Since<br>> Keycloak supports defining new Realms, if you can provide some hooks to<br>> map the newly defined Realms to the Security sub system, I think it<br>> would address the issue. Picketlink examples shed some light on how it<br>> can be done.<br>><br>> <a href="https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration" target="_blank">https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration</a><br>><br>><br>> On Saturday, October 11, 2014 8:53 AM, Bill Burke <<a ymailto="mailto:bburke@redhat.com"
href="mailto:bburke@redhat.com">bburke@redhat.com</a>> wrote:<br>><br>><br>> Kerberos is on our roadmap as there's some other Red Hat kerberos<br>> products we need to integrate wit. I don't understand Kerberos deep<br>> enough yet to know exactly what or how we would do it. My current<br>> thought that the Keycloak auth server would be a secured Kerberos<br>> service and become a bridge between kerberos and SAML or OpenID Connect.<br>><br>> On 10/10/2014 5:24 PM, Raghuram wrote:<br>> > Can I put in an enhancement request for at least some hooks as I am<br>> not sure how a custom federation provider could be written for SPNEGO<br>> negotiation. This feature will be useful for all organizations that<br>> invested in Kerberos infrastructure.<br>> ><br>> >> On Oct 10, 2014, at 5:11 PM, Bill Burke <<a ymailto="mailto:bburke@redhat.com"
href="mailto:bburke@redhat.com">bburke@redhat.com</a><br>> <mailto:<a ymailto="mailto:bburke@redhat.com" href="mailto:bburke@redhat.com">bburke@redhat.com</a>>> wrote:<br>> >><br>> >> we don't support kerberos.<br>> >><br>> >>> On 10/10/2014 5:06 PM, Raghuram wrote:<br>> >>><br>> >>>> Has anyone tried out SPNEGO (Kerberos) authentication with key cloak<br>> >>>> 1.0.2? If so, appreciate any input on how it can be achieved?<br>> >>><br>> >>> Sent from my iPhone<br>> >>><br>> >>><br>> >>> _______________________________________________<br>> >>> keycloak-user mailing list<br>> >>> <a ymailto="mailto:keycloak-user@lists.jboss.org"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a> <mailto:<a ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>> >>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>> >><br>> >> --<br>> >> Bill Burke<br>> >> JBoss, a division of Red Hat<br>> >> <a href="http://bill.burkecentral.com/" target="_blank">http://bill.burkecentral.com/</a><br>><br>> >> _______________________________________________<br>> >> keycloak-user mailing list<br>> >> <a ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a> <mailto:<a
ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>> >> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>><br>> --<br>> Bill Burke<br>> JBoss, a division of Red Hat<br>> <a href="http://bill.burkecentral.com/" target="_blank">http://bill.burkecentral.com/</a><br>><br>><br><br>-- <br>Bill Burke<br>JBoss, a division of Red Hat<br><a href="http://bill.burkecentral.com/" target="_blank">http://bill.burkecentral.com</a><br><br><br></div> </div> </div> </div> </div></body></html>