<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div><span>Great. Thanks Bill. Deviating from the topic a bit, I found the below websites very useful in understanding spnego/Kerberos authentication.</span></div><div style="color: rgb(0, 0, 0); font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px; font-style: normal; background-color: transparent;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px; font-style: normal; background-color: transparent;"><span><a href="http://dmdaa.wordpress.com/2010/10/16/how-to-obtain-and-authenticate-kerberos-and-spnego-tokens-with-jgss/">How to obtain and authenticate Kerberos and SPNEGO tokens with JGSS</a></span></div><div
style="color: rgb(0, 0, 0); font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px; font-style: normal; background-color: transparent;"><span><a href="https://github.com/spring-projects/spring-security-kerberos">https://github.com/spring-projects/spring-security-kerberos</a></span></div><div style="color: rgb(0, 0, 0); font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px; font-style: normal; background-color: transparent;"><span><br></span></div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"> <font face="Arial" size="2"> On Monday, October 13, 2014 5:57 PM,
Travis De Silva <traviskds@gmail.com> wrote:<br> </font> </div> <br><br> <div><div id="yiv0265589670"><div><div dir="ltr">great discussion. Now its up to Bill and the cool Keycloak folks to schedule this in one of their planned releases. Bill any idea which release this might get implemented?<div><br clear="none"></div></div><div><br clear="none"><div id="yiv0265589670yqtfd69465"><div>On Tue, Oct 14, 2014 at 3:30 AM, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:bburke@redhat.com">bburke@redhat.com</a>></span> wrote:<br clear="none"><blockquote style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;"><div><div><br clear="none">
<br clear="none">
On 10/13/2014 11:35 AM, Raghuram wrote:<br clear="none">
<blockquote style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;">
<br clear="none">
<br clear="none">
Sent from my iPhone<br clear="none">
<br clear="none">
<blockquote style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;">
On Oct 13, 2014, at 10:30 AM, Bill Burke <<a href="mailto:bburke@redhat.com" target="_blank" rel="nofollow" shape="rect" ymailto="mailto:bburke@redhat.com">bburke@redhat.com</a>> wrote:<br clear="none">
<br clear="none">
<br clear="none">
<br clear="none">
<blockquote style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;">
On 10/12/2014 8:53 PM, Travis De Silva wrote:<br clear="none">
Bill - How about combining option 2 and 3. We use Keycloak as a bridge<br clear="none">
between our application and Kerberos and then we also use Keycloak as a<br clear="none">
backend identify store. The use case that I am thinking is that we use<br clear="none">
the bridge only for SSO authentication and for authorization we can<br clear="none">
assign users to roles in Keycloak and get all the other goodness of<br clear="none">
Keycloak.<br clear="none">
</blockquote>
<br clear="none">
That works too.<br clear="none">
<br clear="none">
<blockquote style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;">
Also not sure why our application servers need to talk SAML or OpenID<br clear="none">
Connect. If JBoss/Wildfly has support for Spengo.<br clear="none">
</blockquote>
<br clear="none">
Depends on if your kerberos server supports session management, single log out. Again, I don't know enough about kerberos to answer that question<br clear="none">
</blockquote>
Session management with clustering on the key cloak side would be great<br clear="none">
<blockquote style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;">
<br clear="none">
<blockquote style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;">
I am thinking of something like if we configure our application in<br clear="none">
Keycloak as requiring Spengo, then when a request is made to our<br clear="none">
application, Keycloak will intercept it and respond with a 401 Access<br clear="none">
Denied, WWW-Authenticate: Negotiate response. This in turn will trigger<br clear="none">
the browser to re-send the HTTP GET request + the Negotiate SPNEGO Token<br clear="none">
in an Authorization: Negotiate token header and Keycloak uses it to pass<br clear="none">
it via the JBoss/Wildfly security domain.<br clear="none">
<br clear="none">
As you can see, you don't really need to integrate all the way back to a<br clear="none">
Kerberos server but only to JBoss/Wildfly. Yes this does not cover<br clear="none">
all scenarios and is dependent on JBoss/Wildfly but at least this would<br clear="none">
be a start for people who use the entire JBoss/Wildfly stack.<br clear="none">
</blockquote>
<br clear="none">
What you're describing, I think, is the bridge I want to build. User get's authenticated via kerberos at the Keycloak server. Application uses SAML or OpenID Connect and gets a token it can understand and use for REST invocations, etc.<br clear="none">
</blockquote>
<br clear="none">
Perfect. SAML and Openid connect compatibility is what even I am looking for as it will take care of current as well as future requirements. The only other feature that I would request is a hook (JAAS module?) to plugin other authentication systems like secureid in addition to SPNEGO.<br clear="none">
<br clear="none">
Bill - how about including this request in your queue?<br clear="none">
</blockquote>
<br clear="none"></div></div>
You can already delegate credential validation using our User Federation SPI. As far as pluggable auth mechanisms, we already have cert-auth and kerberos on the roadmap which would require such an SPI. IMO, there are really 2 authentication mechanisms: one requiring user input processing (passwords, otp, etc.), those that don't require user input processing (cert-auth, kerberos, SAML/OIDC based federation, etc.). There would end up being 2 SPIs for both.<div><div><br clear="none">
<br clear="none">
<br clear="none">
-- <br clear="none">
Bill Burke<br clear="none">
JBoss, a division of Red Hat<br clear="none">
<a href="http://bill.burkecentral.com/" target="_blank" rel="nofollow" shape="rect">http://bill.burkecentral.com/</a><br clear="none">
</div></div></blockquote></div><br clear="none"></div></div></div></div><br><br></div> </div> </div> </div> </div></body></html>