<div dir="ltr">Bill - How about combining option 2 and 3. We use Keycloak as a bridge between our application and <span style="font-family:arial,sans-serif;font-size:13px">Kerberos and then we also use Keycloak as a backend identify store. The use case that I am thinking is that we use the bridge only for SSO authentication and for authorization we can assign users to roles in Keycloak and get all the other goodness of Keycloak.</span><div><br></div><div>Also not sure why our application servers need to talk SAML or OpenID Connect. If JBoss/Wildfly has support for Spengo.</div><div><br></div><div>I am thinking of something like if we configure our application in Keycloak as requiring Spengo, then when a request is made to our application, Keycloak will intercept it and respond with a 401 Access Denied, WWW-Authenticate: Negotiate response. This in turn will trigger the browser to <span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12px;line-height:14px">re-send the HTTP GET request + the Negotiate SPNEGO Token in an Authorization: Negotiate token header and Keycloak uses it to pass it via the JBoss/Wildfly security domain. </span></div><div><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12px;line-height:14px"><br></span></div><div><span style="color:rgb(0,0,0);font-family:arial,helvetica,sans-serif;font-size:12px;line-height:14px">As you can see, you don't really need to integrate all the way back to a </span><font face="arial, sans-serif">Kerberos server but only to JBoss/Wildfly. Yes this does not cover all scenarios and is dependent on JBoss/Wildfly but at least this would be a start for people who use the entire JBoss/Wildfly stack.</font></div><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">BTW, there also seem to be a Jira ticket pending for Spengo support in WildFly. <a href="https://issues.jboss.org/browse/WFLY-2553" target="_blank">https://issues.jboss.org/browse/WFLY-2553</a> So not sure if Wildfly still has Spengo support.</font></div><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">Not sure if what I am saying makes sense as I am also not an except in Spengo but just thought of throwing this idea out there.</font></div><div><font face="arial, sans-serif"><br></font></div><div class="gmail_extra">Prab - Thanks for pointing out the Federation API. Will have a look to see if this can do what I indicated above.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 13, 2014 at 1:15 AM, prab rrrr <span dir="ltr"><<a href="mailto:prabhalar@yahoo.com" target="_blank">prabhalar@yahoo.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="color:#000;background-color:#fff;font-family:HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px"><div><span><span style="font-family:monospace;font-size:13px">Bill - To your Point No 2) - Why limit Keycloak to be a bridge to just Kerberos Server? Extending it to other mechanisms like Radius/SecurID and providing support for Multi factor authentication would make Keycloak a true Federation product. </span></span></div><div style="color:rgb(0,0,0);font-size:13px;font-family:monospace;font-style:normal;background-color:transparent"><span><span style="font-family:monospace;font-size:13px"><br></span></span></div><div style="color:rgb(0,0,0);font-size:13px;font-family:monospace;font-style:normal;background-color:transparent"><span><span style="font-family:monospace;font-size:13px">Travis - As you pointed out, SPNEGO support is major requirement and even I am not clear how to make it happen. If you have other requirements then perhaps the Federation API in Keycloak can be used to make it a bridge to other authentications like SecureID and MIT Kerebros.</span></span></div><div><div class="h5"><div style="color:rgb(0,0,0);font-size:13px;font-family:monospace;font-style:normal;background-color:transparent"><span><span style="font-family:monospace;font-size:13px"><br></span></span></div><div style="color:rgb(0,0,0);font-size:13px;font-family:monospace;font-style:normal;background-color:transparent"><span><br></span></div> <div><br><br></div><div style="display:block"> <div style="font-family:HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px"> <div style="font-family:HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif;font-size:16px"> <div dir="ltr"> <font face="Arial"> On Sunday, October 12, 2014 8:36 AM, Bill Burke <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>> wrote:<br> </font> </div> <br><br> <div>JBoss/Wildfly has had SPNEGO/Kerberos support for I think like 8-9 <br clear="none">years? This is the original project:<br clear="none"><br clear="none"><a shape="rect" href="https://developer.jboss.org/wiki/JBossNegotiation" target="_blank">https://developer.jboss.org/wiki/JBossNegotiation</a><br clear="none"><br clear="none">I don't know enough about it or Kerberos to know if it has single log <br clear="none">out too. As for Keycloak's relationship to Kerberos, I see 4 things <br clear="none">happening:<br clear="none"><br clear="none">1) You don't use Keycloak as you already have SSO with an existing <br clear="none">Kerberos deployment<br clear="none">2) Your application servers talk SAML or OpenID Connect and Keycloak <br clear="none">becomes a bridge between the Kerberos server and your applications<br clear="none">3) You authenticate using your existing Kerberos architecture and <br clear="none">Keycloak becomes a back end identity store.<br clear="none">4) Keycloak becomes a Kerberos Server.<br clear="none"><br clear="none">Due to non-technical reasons, #4 is the least likely to happen. If you <br clear="none">have any other ideas on integration points let me know.<br clear="none"><br clear="none"><br clear="none"><br clear="none">On 10/11/2014 5:43 PM, Travis De Silva wrote:<br clear="none">> I thought with SPNEGO/Kerberos we can achieve true SSO. Most large<br clear="none">> organisations are on a Windows environment and what these organisations<br clear="none">> want is once you authenticate to the corporate desktop, you should be<br clear="none">> able to then also access other applications without having to go through<br clear="none">> the login process. wonder how we can achieve this with KeyCloak?<br clear="none">><br clear="none">> On Sun, Oct 12, 2014 at 2:29 AM, Bill Burke <<a shape="rect" href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a><br clear="none">> <mailto:<a shape="rect" href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>> wrote:<br clear="none">><br clear="none">> Keycloak is an IDP server. It is not an adapter project for<br clear="none">> JBoss/Wildfly distributions. There's already a lot of great adapters to<br clear="none">> integrate your JBoss/Wildfly distributions to use SPNEGO and SAML. We<br clear="none">> already support federation with LDAP/AD for storage and authentication,<br clear="none">> OpenIDConnect and SAML as our auth protocols. The only thing on the<br clear="none">> roadmap for Kerberos is to make Keycloak to be a Kerberos to SAML/OpenID<br clear="none">> Connect bridge. It could be possible to poach or merge with Apache DS<br clear="none">> so that Keycloak could become a full Kerberos server too, but there are<br clear="none">> additional non-technical obstacles from us putting this option in our<br clear="none">> roadmap that I'd rather not discuss.<br clear="none">><br clear="none">> But anyways, Keycloak doesn't use JAAS login modules on the IDP server<br clear="none">> side. On the client side doesn't make sense either as Keycloak only<br clear="none">> talks OpenIDConnect and SAML (in
master).<br clear="none">><br clear="none">> On 10/11/2014 11:10 AM, prab rrrr wrote:<br clear="none">> > Well, without support for external authentication, I am wondering how<br clear="none">> > big organizations that have already invested in Kerberos/SecurID etc,<br clear="none">> > would use this product? Typically, the Federation products like<br clear="none">> > Ping,OpenAM etc provide hooks for multiple stores to:<br clear="none">> > 1) Support Kerberos or SecureID or other authentication and<br clear="none">> retrieve the<br clear="none">> > user principal<br clear="none">> > 2) Retrieve user meta data from LDAP using that principal and<br clear="none">> > 3) Use the user meta data to customize the claims or userinfo.<br clear="none">> ><br clear="none">> > I was hoping to see the above features in this product, given that<br clear="none">> > Keycloak already supports OpenID Connect (along with support for<br clear="none">> CORS,<br clear="none">> > javascript and future support for mobile devices) and it can act<br clear="none">> as an<br clear="none">> > Identity provider (OP). Perhaps Keycloak can synchronize all the user<br clear="none">> > information from stores like LDAP but it would still need a hook<br clear="none">> to plug<br clear="none">> > in external authentication<br clear="none">> ><br clear="none">> > BTW I suggested realm to authetication mapping because different<br clear="none">> > applications in an organization have different authentication<br clear="none">> > requirements (some apps require SecuriID,some Kerberos etc) and those<br clear="none">> > applications can be mapped to the realm that uses an authentication<br clear="none">> > mechanism that they require.<br clear="none">> ><br clear="none">> ><br clear="none">> ><br clear="none">> > On Saturday, October 11, 2014 10:29 AM, Bill Burke<br clear="none">> <<a shape="rect" href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a> <mailto:<a shape="rect" href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>><br clear="none">> > wrote:<br clear="none">> ><br clear="none">> ><br clear="none">> > What you describe would work only if you treat Keycloak solely as an<br clear="none">>
> identity store and wrote a login module that uses Keycloak admin<br clear="none">> > interface to obtain principal and role mapping information. Then there<br clear="none">> > is the issue of getting the Kerberos server and Keycloak using the same<br clear="none">> > user database. Then for this particular idea, you start to wonder if<br clear="none">> > using Keycloak is any benefit.<br clear="none">> ><br clear="none">> > On 10/11/2014 9:54 AM, prab rrrr wrote:<br clear="none">> > > Wildfly makes a number of login modules available as a part of the<br clear="none">> > > Security sub system that include SPNEGO (see the
link below). Since<br clear="none">> > > Keycloak supports defining new Realms, if you can provide some hooks to<br clear="none">> > > map the newly defined Realms to the Security sub system, I think it<br clear="none">> > > would address the issue. Picketlink examples shed some light on how it<br clear="none">> > > can be done.<br clear="none">> > ><br clear="none">> > ><br clear="none">> ><a shape="rect" href="https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration" target="_blank">https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration</a><br clear="none">> > ><br clear="none">> > ><br clear="none">> > > On Saturday, October 11, 2014 8:53 AM, Bill Burke <<a shape="rect" href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a> <mailto:<a shape="rect" href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>><br clear="none">> > <mailto:<a shape="rect" href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a> <mailto:<a shape="rect" href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>>> wrote:<br clear="none">> > ><br clear="none">>
> ><br clear="none">> > > Kerberos is on our roadmap as there's some other Red Hat kerberos<br clear="none">> > > products we need to integrate wit. I don't understand Kerberos deep<br clear="none">> > > enough yet to know exactly what or how we would do it. My current<br clear="none">> > > thought that the Keycloak auth server would be a secured Kerberos<br clear="none">> > > service and become a bridge between kerberos and SAML or OpenID Connect.<br clear="none">> > ><br clear="none">> > > On 10/10/2014 5:24 PM, Raghuram wrote:<br clear="none">> > >
> Can I put in an enhancement request for at least some hooks as I am<br clear="none">> > > not sure how a custom federation provider could be written for SPNEGO<br clear="none">> > > negotiation. This feature will be useful for all organizations that<br clear="none">> > > invested in Kerberos infrastructure.<br clear="none">> > > ><br clear="none">> > > >> On Oct 10, 2014, at 5:11 PM, Bill Burke <<a shape="rect" href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a> <mailto:<a shape="rect" href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>><br clear="none">> > <mailto:<a shape="rect" href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a> <mailto:<a shape="rect" href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>><br clear="none">> > > <mailto:<a shape="rect" href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a> <mailto:<a shape="rect" href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>><br clear="none">> <mailto:<a shape="rect" href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a> <mailto:<a shape="rect" href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>>>> wrote:<br clear="none">> > > >><br clear="none">> > > >> we don't support kerberos.<br clear="none">> > > >><br clear="none">> > > >>> On 10/10/2014 5:06 PM, Raghuram wrote:<br clear="none">> > > >>><br clear="none">> > > >>>> Has anyone tried out SPNEGO (Kerberos) authentication with key<br clear="none">> > cloak<br clear="none">> > > >>>> 1.0.2? If so, appreciate any input on how it can be achieved?<br clear="none">>
> > >>><br clear="none">> > > >>> Sent from my iPhone<br clear="none">> > > >>><br clear="none">> > > >>><br clear="none">> > > >>> _______________________________________________<br clear="none">> > > >>> keycloak-user mailing list<br clear="none">> > > >>><a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br clear="none">> > <mailto:<a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>>><br clear="none">> > <mailto:<a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br clear="none">> <mailto:<a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br clear="none">>
> <mailto:<a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>>>><br clear="none">> > > >>><a shape="rect" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none">> > > >><br clear="none">> > > >> --<br clear="none">> > > >> Bill Burke<br clear="none">> > > >>
JBoss, a division of Red Hat<br clear="none">> > > >><a shape="rect" href="http://bill.burkecentral.com/" target="_blank">http://bill.burkecentral.com/</a><br clear="none">> > ><br clear="none">> > > >> _______________________________________________<br clear="none">> > > >> keycloak-user mailing list<br clear="none">> > > >><a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br clear="none">> > <mailto:<a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>>><br clear="none">> > <mailto:<a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br clear="none">> <mailto:<a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br clear="none">> > <mailto:<a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>>>><br clear="none">> > > >><a shape="rect" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none">> > ><br clear="none">> > > --<br clear="none">> > > Bill Burke<br clear="none">> > > JBoss, a division of Red Hat<br clear="none">> >
><a shape="rect" href="http://bill.burkecentral.com/" target="_blank">http://bill.burkecentral.com/</a><br clear="none">> > ><br clear="none">> > ><br clear="none">> ><br clear="none">> > --<br clear="none">> > Bill Burke<br clear="none">> > JBoss, a division of Red Hat<br clear="none">> > <a shape="rect" href="http://bill.burkecentral.com/" target="_blank">http://bill.burkecentral.com </a><<a shape="rect" href="http://bill.burkecentral.com/" target="_blank">http://bill.burkecentral.com/</a>><div><br clear="none">> ><br clear="none">> ><br clear="none">><br clear="none">> --<br clear="none">> Bill Burke<br clear="none">> JBoss, a division of Red Hat<br clear="none">> <a shape="rect" href="http://bill.burkecentral.com/" target="_blank">http://bill.burkecentral.com</a><br clear="none">> _______________________________________________<br clear="none">> keycloak-user mailing list<br clear="none">> <a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a> <mailto:<a shape="rect" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br clear="none">> <a shape="rect" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none">><br clear="none">><br clear="none"><br clear="none">-- <br clear="none">Bill Burke<br clear="none">JBoss, a division of Red Hat<br clear="none"><a shape="rect" href="http://bill.burkecentral.com/" target="_blank">http://bill.burkecentral.com</a><br clear="none"></div><br><br></div> </div> </div> </div> </div></div></div></div></blockquote></div><br></div></div>