<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div class="" style=""><span class="" style=""><span style="font-family: monospace; font-size: 13px;" class="">Bill - To your Point No 2) - Why limit Keycloak to be a bridge to just Kerberos Server? Extending it to other mechanisms like Radius/SecurID and providing support for Multi factor authentication would make Keycloak a true Federation product. </span></span></div><div class="" style="color: rgb(0, 0, 0); font-size: 13px; font-family: monospace; font-style: normal; background-color: transparent;"><span class="" style=""><span style="font-family: monospace; font-size: 13px;" class=""><br></span></span></div><div class="" style="color: rgb(0, 0, 0); font-size: 13px; font-family: monospace; font-style: normal; background-color: transparent;"><span class="" style=""><span
style="font-family: monospace; font-size: 13px;" class="">Travis - As you pointed out, SPNEGO support is major requirement and even I am not clear how to make it happen. If you have other requirements then perhaps the Federation API in Keycloak can be used to make it a bridge to other authentications like SecureID and MIT Kerebros.</span></span></div><div class="" style="color: rgb(0, 0, 0); font-size: 13px; font-family: monospace; font-style: normal; background-color: transparent;"><span class="" style=""><span style="font-family: monospace; font-size: 13px;" class=""><br></span></span></div><div class="" style="color: rgb(0, 0, 0); font-size: 13px; font-family: monospace; font-style: normal; background-color: transparent;"><span class="" style=""><br class="" style=""></span></div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida
Grande, sans-serif; font-size: 16px;" class=""> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;" class=""> <div dir="ltr" class="" style=""> <font size="2" face="Arial" class="" style=""> On Sunday, October 12, 2014 8:36 AM, Bill Burke <bburke@redhat.com> wrote:<br class="" style=""> </font> </div> <br class="" style=""><br class="" style=""> <div class="" style="">JBoss/Wildfly has had SPNEGO/Kerberos support for I think like 8-9 <br clear="none" class="" style="">years? This is the original project:<br clear="none" class="" style=""><br clear="none" class="" style=""><a shape="rect" href="https://developer.jboss.org/wiki/JBossNegotiation" target="_blank" class="" style="">https://developer.jboss.org/wiki/JBossNegotiation</a><br clear="none" class="" style=""><br clear="none" class="" style="">I don't know enough about it or Kerberos to know if it has single log <br
clear="none" class="" style="">out too. As for Keycloak's relationship to Kerberos, I see 4 things <br clear="none" class="" style="">happening:<br clear="none" class="" style=""><br clear="none" class="" style="">1) You don't use Keycloak as you already have SSO with an existing <br clear="none" class="" style="">Kerberos deployment<br clear="none" class="" style="">2) Your application servers talk SAML or OpenID Connect and Keycloak <br clear="none" class="" style="">becomes a bridge between the Kerberos server and your applications<br clear="none" class="" style="">3) You authenticate using your existing Kerberos architecture and <br clear="none" class="" style="">Keycloak becomes a back end identity store.<br clear="none" class="" style="">4) Keycloak becomes a Kerberos Server.<br clear="none" class="" style=""><br clear="none" class="" style="">Due to non-technical reasons, #4 is the least likely to happen. If you <br clear="none"
class="" style="">have any other ideas on integration points let me know.<br clear="none" class="" style=""><br clear="none" class="" style=""><br clear="none" class="" style=""><br clear="none" class="" style="">On 10/11/2014 5:43 PM, Travis De Silva wrote:<br clear="none" class="" style="">> I thought with SPNEGO/Kerberos we can achieve true SSO. Most large<br clear="none" class="" style="">> organisations are on a Windows environment and what these organisations<br clear="none" class="" style="">> want is once you authenticate to the corporate desktop, you should be<br clear="none" class="" style="">> able to then also access other applications without having to go through<br clear="none" class="" style="">> the login process. wonder how we can achieve this with KeyCloak?<br clear="none" class="" style="">><br clear="none" class="" style="">> On Sun, Oct 12, 2014 at 2:29 AM, Bill Burke <<a shape="rect"
ymailto="mailto:bburke@redhat.com" href="mailto:bburke@redhat.com" class="" style="">bburke@redhat.com</a><br clear="none" class="" style="">> <mailto:<a shape="rect" ymailto="mailto:bburke@redhat.com" href="mailto:bburke@redhat.com" class="" style="">bburke@redhat.com</a>>> wrote:<br clear="none" class="" style="">><br clear="none" class="" style="">> Keycloak is an IDP server. It is not an adapter project for<br clear="none" class="" style="">> JBoss/Wildfly distributions. There's already a lot of great adapters to<br clear="none" class="" style="">> integrate your JBoss/Wildfly distributions to use SPNEGO and SAML. We<br clear="none" class="" style="">> already support federation with LDAP/AD for storage and authentication,<br clear="none" class="" style="">> OpenIDConnect and SAML as our auth protocols. The only thing on the<br
clear="none" class="" style="">> roadmap for Kerberos is to make Keycloak to be a Kerberos to SAML/OpenID<br clear="none" class="" style="">> Connect bridge. It could be possible to poach or merge with Apache DS<br clear="none" class="" style="">> so that Keycloak could become a full Kerberos server too, but there are<br clear="none" class="" style="">> additional non-technical obstacles from us putting this option in our<br clear="none" class="" style="">> roadmap that I'd rather not discuss.<br clear="none" class="" style="">><br clear="none" class="" style="">> But anyways, Keycloak doesn't use JAAS login modules on the IDP server<br clear="none" class="" style="">> side. On the client side doesn't make sense either as Keycloak only<br clear="none" class="" style="">> talks OpenIDConnect and SAML (in
master).<br clear="none" class="" style="">><br clear="none" class="" style="">> On 10/11/2014 11:10 AM, prab rrrr wrote:<br clear="none" class="" style="">> > Well, without support for external authentication, I am wondering how<br clear="none" class="" style="">> > big organizations that have already invested in Kerberos/SecurID etc,<br clear="none" class="" style="">> > would use this product? Typically, the Federation products like<br clear="none" class="" style="">> > Ping,OpenAM etc provide hooks for multiple stores to:<br clear="none" class="" style="">> > 1) Support Kerberos or SecureID or other authentication and<br clear="none" class="" style="">> retrieve the<br clear="none" class="" style="">> > user principal<br clear="none" class=""
style="">> > 2) Retrieve user meta data from LDAP using that principal and<br clear="none" class="" style="">> > 3) Use the user meta data to customize the claims or userinfo.<br clear="none" class="" style="">> ><br clear="none" class="" style="">> > I was hoping to see the above features in this product, given that<br clear="none" class="" style="">> > Keycloak already supports OpenID Connect (along with support for<br clear="none" class="" style="">> CORS,<br clear="none" class="" style="">> > javascript and future support for mobile devices) and it can act<br clear="none" class="" style="">> as an<br clear="none" class="" style="">> > Identity provider (OP). Perhaps Keycloak can synchronize all the user<br clear="none" class=""
style="">> > information from stores like LDAP but it would still need a hook<br clear="none" class="" style="">> to plug<br clear="none" class="" style="">> > in external authentication<br clear="none" class="" style="">> ><br clear="none" class="" style="">> > BTW I suggested realm to authetication mapping because different<br clear="none" class="" style="">> > applications in an organization have different authentication<br clear="none" class="" style="">> > requirements (some apps require SecuriID,some Kerberos etc) and those<br clear="none" class="" style="">> > applications can be mapped to the realm that uses an authentication<br clear="none" class="" style="">> > mechanism that they require.<br clear="none" class=""
style="">> ><br clear="none" class="" style="">> ><br clear="none" class="" style="">> ><br clear="none" class="" style="">> > On Saturday, October 11, 2014 10:29 AM, Bill Burke<br clear="none" class="" style="">> <<a shape="rect" ymailto="mailto:bburke@redhat.com" href="mailto:bburke@redhat.com" class="" style="">bburke@redhat.com</a> <mailto:<a shape="rect" ymailto="mailto:bburke@redhat.com" href="mailto:bburke@redhat.com" class="" style="">bburke@redhat.com</a>>><br clear="none" class="" style="">> > wrote:<br clear="none" class="" style="">> ><br clear="none" class="" style="">> ><br clear="none" class="" style="">> > What you describe would work only if you treat Keycloak solely as an<br clear="none" class="" style="">>
> identity store and wrote a login module that uses Keycloak admin<br clear="none" class="" style="">> > interface to obtain principal and role mapping information. Then there<br clear="none" class="" style="">> > is the issue of getting the Kerberos server and Keycloak using the same<br clear="none" class="" style="">> > user database. Then for this particular idea, you start to wonder if<br clear="none" class="" style="">> > using Keycloak is any benefit.<br clear="none" class="" style="">> ><br clear="none" class="" style="">> > On 10/11/2014 9:54 AM, prab rrrr wrote:<br clear="none" class="" style="">> > > Wildfly makes a number of login modules available as a part of the<br clear="none" class="" style="">> > > Security sub system that include SPNEGO (see the
link below). Since<br clear="none" class="" style="">> > > Keycloak supports defining new Realms, if you can provide some hooks to<br clear="none" class="" style="">> > > map the newly defined Realms to the Security sub system, I think it<br clear="none" class="" style="">> > > would address the issue. Picketlink examples shed some light on how it<br clear="none" class="" style="">> > > can be done.<br clear="none" class="" style="">> > ><br clear="none" class="" style="">> > ><br clear="none" class="" style="">> ><a shape="rect" href="https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration" target="_blank" class="" style="">https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration</a><br clear="none" class=""
style="">> > ><br clear="none" class="" style="">> > ><br clear="none" class="" style="">> > > On Saturday, October 11, 2014 8:53 AM, Bill Burke <<a shape="rect" ymailto="mailto:bburke@redhat.com" href="mailto:bburke@redhat.com" class="" style="">bburke@redhat.com</a> <mailto:<a shape="rect" ymailto="mailto:bburke@redhat.com" href="mailto:bburke@redhat.com" class="" style="">bburke@redhat.com</a>><br clear="none" class="" style="">> > <mailto:<a shape="rect" ymailto="mailto:bburke@redhat.com" href="mailto:bburke@redhat.com" class="" style="">bburke@redhat.com</a> <mailto:<a shape="rect" ymailto="mailto:bburke@redhat.com" href="mailto:bburke@redhat.com" class="" style="">bburke@redhat.com</a>>>> wrote:<br clear="none" class="" style="">> > ><br clear="none" class="" style="">>
> ><br clear="none" class="" style="">> > > Kerberos is on our roadmap as there's some other Red Hat kerberos<br clear="none" class="" style="">> > > products we need to integrate wit. I don't understand Kerberos deep<br clear="none" class="" style="">> > > enough yet to know exactly what or how we would do it. My current<br clear="none" class="" style="">> > > thought that the Keycloak auth server would be a secured Kerberos<br clear="none" class="" style="">> > > service and become a bridge between kerberos and SAML or OpenID Connect.<br clear="none" class="" style="">> > ><br clear="none" class="" style="">> > > On 10/10/2014 5:24 PM, Raghuram wrote:<br clear="none" class="" style="">> > >
> Can I put in an enhancement request for at least some hooks as I am<br clear="none" class="" style="">> > > not sure how a custom federation provider could be written for SPNEGO<br clear="none" class="" style="">> > > negotiation. This feature will be useful for all organizations that<br clear="none" class="" style="">> > > invested in Kerberos infrastructure.<br clear="none" class="" style="">> > > ><br clear="none" class="" style="">> > > >> On Oct 10, 2014, at 5:11 PM, Bill Burke <<a shape="rect" ymailto="mailto:bburke@redhat.com" href="mailto:bburke@redhat.com" class="" style="">bburke@redhat.com</a> <mailto:<a shape="rect" ymailto="mailto:bburke@redhat.com" href="mailto:bburke@redhat.com" class="" style="">bburke@redhat.com</a>><br clear="none" class=""
style="">> > <mailto:<a shape="rect" ymailto="mailto:bburke@redhat.com" href="mailto:bburke@redhat.com" class="" style="">bburke@redhat.com</a> <mailto:<a shape="rect" ymailto="mailto:bburke@redhat.com" href="mailto:bburke@redhat.com" class="" style="">bburke@redhat.com</a>>><br clear="none" class="" style="">> > > <mailto:<a shape="rect" ymailto="mailto:bburke@redhat.com" href="mailto:bburke@redhat.com" class="" style="">bburke@redhat.com</a> <mailto:<a shape="rect" ymailto="mailto:bburke@redhat.com" href="mailto:bburke@redhat.com" class="" style="">bburke@redhat.com</a>><br clear="none" class="" style="">> <mailto:<a shape="rect" ymailto="mailto:bburke@redhat.com" href="mailto:bburke@redhat.com" class="" style="">bburke@redhat.com</a> <mailto:<a shape="rect" ymailto="mailto:bburke@redhat.com" href="mailto:bburke@redhat.com" class=""
style="">bburke@redhat.com</a>>>>> wrote:<br clear="none" class="" style="">> > > >><br clear="none" class="" style="">> > > >> we don't support kerberos.<br clear="none" class="" style="">> > > >><br clear="none" class="" style="">> > > >>> On 10/10/2014 5:06 PM, Raghuram wrote:<br clear="none" class="" style="">> > > >>><br clear="none" class="" style="">> > > >>>> Has anyone tried out SPNEGO (Kerberos) authentication with key<br clear="none" class="" style="">> > cloak<br clear="none" class="" style="">> > > >>>> 1.0.2? If so, appreciate any input on how it can be achieved?<br clear="none" class="" style="">>
> > >>><br clear="none" class="" style="">> > > >>> Sent from my iPhone<br clear="none" class="" style="">> > > >>><br clear="none" class="" style="">> > > >>><br clear="none" class="" style="">> > > >>> _______________________________________________<br clear="none" class="" style="">> > > >>> keycloak-user mailing list<br clear="none" class="" style="">> > > >>><a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="" style="">keycloak-user@lists.jboss.org</a> <mailto:<a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class=""
style="">keycloak-user@lists.jboss.org</a>><br clear="none" class="" style="">> > <mailto:<a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="" style="">keycloak-user@lists.jboss.org</a> <mailto:<a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="" style="">keycloak-user@lists.jboss.org</a>>><br clear="none" class="" style="">> > <mailto:<a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="" style="">keycloak-user@lists.jboss.org</a><br clear="none" class="" style="">> <mailto:<a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="" style="">keycloak-user@lists.jboss.org</a>><br clear="none" class="" style="">>
> <mailto:<a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="" style="">keycloak-user@lists.jboss.org</a> <mailto:<a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="" style="">keycloak-user@lists.jboss.org</a>>>><br clear="none" class="" style="">> > > >>><a shape="rect" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" class="" style="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none" class="" style="">> > > >><br clear="none" class="" style="">> > > >> --<br clear="none" class="" style="">> > > >> Bill Burke<br clear="none" class="" style="">> > > >>
JBoss, a division of Red Hat<br clear="none" class="" style="">> > > >><a shape="rect" href="http://bill.burkecentral.com/" target="_blank" class="" style="">http://bill.burkecentral.com/</a><br clear="none" class="" style="">> > ><br clear="none" class="" style="">> > > >> _______________________________________________<br clear="none" class="" style="">> > > >> keycloak-user mailing list<br clear="none" class="" style="">> > > >><a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="" style="">keycloak-user@lists.jboss.org</a> <mailto:<a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="" style="">keycloak-user@lists.jboss.org</a>><br
clear="none" class="" style="">> > <mailto:<a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="" style="">keycloak-user@lists.jboss.org</a> <mailto:<a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="" style="">keycloak-user@lists.jboss.org</a>>><br clear="none" class="" style="">> > <mailto:<a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="" style="">keycloak-user@lists.jboss.org</a><br clear="none" class="" style="">> <mailto:<a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="" style="">keycloak-user@lists.jboss.org</a>><br clear="none" class="" style="">> > <mailto:<a shape="rect"
ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="" style="">keycloak-user@lists.jboss.org</a> <mailto:<a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="" style="">keycloak-user@lists.jboss.org</a>>>><br clear="none" class="" style="">> > > >><a shape="rect" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" class="" style="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none" class="" style="">> > ><br clear="none" class="" style="">> > > --<br clear="none" class="" style="">> > > Bill Burke<br clear="none" class="" style="">> > > JBoss, a division of Red Hat<br clear="none" class="" style="">> >
><a shape="rect" href="http://bill.burkecentral.com/" target="_blank" class="" style="">http://bill.burkecentral.com/</a><br clear="none" class="" style="">> > ><br clear="none" class="" style="">> > ><br clear="none" class="" style="">> ><br clear="none" class="" style="">> > --<br clear="none" class="" style="">> > Bill Burke<br clear="none" class="" style="">> > JBoss, a division of Red Hat<br clear="none" class="" style="">> > <a shape="rect" href="http://bill.burkecentral.com/" target="_blank" class="" style="">http://bill.burkecentral.com </a><<a shape="rect" href="http://bill.burkecentral.com/" target="_blank" class="" style="">http://bill.burkecentral.com/</a>><div class="" id="yqtfd13800" style=""><br clear="none" class="" style="">> ><br
clear="none" class="" style="">> ><br clear="none" class="" style="">><br clear="none" class="" style="">> --<br clear="none" class="" style="">> Bill Burke<br clear="none" class="" style="">> JBoss, a division of Red Hat<br clear="none" class="" style="">> <a shape="rect" href="http://bill.burkecentral.com/" target="_blank" class="" style="">http://bill.burkecentral.com</a><br clear="none" class="" style="">> _______________________________________________<br clear="none" class="" style="">> keycloak-user mailing list<br clear="none" class="" style="">> <a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org" href="mailto:keycloak-user@lists.jboss.org" class="" style="">keycloak-user@lists.jboss.org</a> <mailto:<a shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org"
href="mailto:keycloak-user@lists.jboss.org" class="" style="">keycloak-user@lists.jboss.org</a>><br clear="none" class="" style="">> <a shape="rect" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" class="" style="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none" class="" style="">><br clear="none" class="" style="">><br clear="none" class="" style=""><br clear="none" class="" style="">-- <br clear="none" class="" style="">Bill Burke<br clear="none" class="" style="">JBoss, a division of Red Hat<br clear="none" class="" style=""><a shape="rect" href="http://bill.burkecentral.com/" target="_blank" class="" style="">http://bill.burkecentral.com</a><br clear="none" class="" style=""></div><br class="" style=""><br class="" style=""></div> </div> </div> </div> </div></body></html>