<div dir="ltr">great discussion. Now its up to Bill and the cool Keycloak folks to schedule this in one of their planned releases. Bill any idea which release this might get implemented?<div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 14, 2014 at 3:30 AM, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5"><br>
<br>
On 10/13/2014 11:35 AM, Raghuram wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<br>
Sent from my iPhone<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Oct 13, 2014, at 10:30 AM, Bill Burke <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>> wrote:<br>
<br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On 10/12/2014 8:53 PM, Travis De Silva wrote:<br>
Bill - How about combining option 2 and 3. We use Keycloak as a bridge<br>
between our application and Kerberos and then we also use Keycloak as a<br>
backend identify store. The use case that I am thinking is that we use<br>
the bridge only for SSO authentication and for authorization we can<br>
assign users to roles in Keycloak and get all the other goodness of<br>
Keycloak.<br>
</blockquote>
<br>
That works too.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Also not sure why our application servers need to talk SAML or OpenID<br>
Connect. If JBoss/Wildfly has support for Spengo.<br>
</blockquote>
<br>
Depends on if your kerberos server supports session management, single log out. Again, I don't know enough about kerberos to answer that question<br>
</blockquote>
Session management with clustering on the key cloak side would be great<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I am thinking of something like if we configure our application in<br>
Keycloak as requiring Spengo, then when a request is made to our<br>
application, Keycloak will intercept it and respond with a 401 Access<br>
Denied, WWW-Authenticate: Negotiate response. This in turn will trigger<br>
the browser to re-send the HTTP GET request + the Negotiate SPNEGO Token<br>
in an Authorization: Negotiate token header and Keycloak uses it to pass<br>
it via the JBoss/Wildfly security domain.<br>
<br>
As you can see, you don't really need to integrate all the way back to a<br>
Kerberos server but only to JBoss/Wildfly. Yes this does not cover<br>
all scenarios and is dependent on JBoss/Wildfly but at least this would<br>
be a start for people who use the entire JBoss/Wildfly stack.<br>
</blockquote>
<br>
What you're describing, I think, is the bridge I want to build. User get's authenticated via kerberos at the Keycloak server. Application uses SAML or OpenID Connect and gets a token it can understand and use for REST invocations, etc.<br>
</blockquote>
<br>
Perfect. SAML and Openid connect compatibility is what even I am looking for as it will take care of current as well as future requirements. The only other feature that I would request is a hook (JAAS module?) to plugin other authentication systems like secureid in addition to SPNEGO.<br>
<br>
Bill - how about including this request in your queue?<br>
</blockquote>
<br></div></div>
You can already delegate credential validation using our User Federation SPI. As far as pluggable auth mechanisms, we already have cert-auth and kerberos on the roadmap which would require such an SPI. IMO, there are really 2 authentication mechanisms: one requiring user input processing (passwords, otp, etc.), those that don't require user input processing (cert-auth, kerberos, SAML/OIDC based federation, etc.). There would end up being 2 SPIs for both.<div class="HOEnZb"><div class="h5"><br>
<br>
<br>
-- <br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
</div></div></blockquote></div><br></div>