<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div><span></span></div><div id="yui_3_16_0_1_1423487107097_2892" dir="ltr">I think that would satisfy my requirements - but not sure until I see that bridge along with the Identity broker functionality in the next beta release - eagerly waiting for it.</div><div id="yui_3_16_0_1_1423487107097_2881" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1423487107097_2880" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1423487107097_2879" dir="ltr"> <hr size="1" id="yui_3_16_0_1_1423487107097_2894"> <font id="yui_3_16_0_1_1423487107097_2878" face="Arial" size="2"> <b><span style="font-weight: bold;">From:</span></b> Bill Burke <bburke@redhat.com><br> <b><span style="font-weight: bold;">To:</span></b> keycloak-user@lists.jboss.org <br> <b><span style="font-weight: bold;">Sent:</span></b> Friday, February 6, 2015 10:21 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [keycloak-user] Keycloak 1.1.0.Final Released<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_1_1423487107097_2909"><br>Keycloak won't be a kerberos server any time soon, if ever. We are <br clear="none">creating a SAML/OIDC to kerberos bridge though.<br clear="none"><br clear="none">On 1/30/2015 10:52 AM, Raghu Prabhala wrote:<br clear="none">> Unfortunately yes. Kerberos is deeply ingrained in most of internal applications/processes. While we can ask any new applications to use certificates, we have to support Kerberos.<br clear="none">><br clear="none">> If that is not something that you will support, probably identity brokering would help. I can write a Kerberos broker as long as it is given control ( need http request) immediately by Keycloak, perhaps I can handle both authentication with key tabs (for system accts) as well as SPNEGO for users<br clear="none">><br clear="none">> Sent from my iPhone<br clear="none">><br clear="none">>> On Jan 30, 2015, at 9:01 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a>> wrote:<br clear="none">>><br clear="none">>><br clear="none">>><br clear="none">>> ----- Original Message -----<br clear="none">>>> From: "Raghu Prabhala" <<a href="mailto:prabhalar@yahoo.com" shape="rect" ymailto="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a>><br clear="none">>>> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a>><br clear="none">>>> Cc: "keycloak dev" <<a href="mailto:keycloak-dev@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>>, "keycloak-user" <<a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br clear="none">>>> Sent: Friday, 30 January, 2015 2:44:14 PM<br clear="none">>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released<br clear="none">>>><br clear="none">>>> Great. Looking forward to the 1.2 Beta version.<br clear="none">>>> Regarding the system account support, from my perspective, it is very<br clear="none">>>> important because we have thousands of applications that interact with each<br clear="none">>>> other using system accounts (authentication with Kerberos with keytabs) and<br clear="none">>>> till we have that functionality, we will not be able to consider Keycloak as<br clear="none">>>> a SSO solution even though it is coming out to be a good product. The sooner<br clear="none">>>> we have it, the better. Hopefully, even other users will pitch in to request<br clear="none">>>> that functionality so that you can bump it up in your priority list.<br clear="none">>>> Thanks once again.Raghu<br clear="none">>><br clear="none">>> For your use-case would it have to be Kerberos? Only options we've been considering are certificates and jwt/jws.<br clear="none">>><br clear="none">>>> From: Stian Thorgersen <<a href="mailto:stian@redhat.com" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a>><br clear="none">>>> To: Raghu Prabhala <<a href="mailto:prabhalar@yahoo.com" shape="rect" ymailto="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a>><br clear="none">>>> Cc: keycloak dev <<a href="mailto:keycloak-dev@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>>; keycloak-user<br clear="none">>>> <<a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br clear="none">>>> Sent: Friday, January 30, 2015 2:10 AM<br clear="none">>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released<br clear="none">>>><br clear="none">>>><br clear="none">>>><br clear="none">>>> ----- Original Message -----<br clear="none">>>>> From: "Raghu Prabhala" <<a href="mailto:prabhalar@yahoo.com" shape="rect" ymailto="mailto:prabhalar@yahoo.com">prabhalar@yahoo.com</a>><br clear="none">>>>> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a>><br clear="none">>>>> Cc: "keycloak dev" <<a href="mailto:keycloak-dev@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>>, "keycloak-user"<br clear="none">>>>> <<a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br clear="none">>>>> Sent: Thursday, January 29, 2015 6:44:11 PM<br clear="none">>>>> Subject: Re: [keycloak-user] Keycloak 1.1.0.Final Released<br clear="none">>>>><br clear="none">>>>> Congrats Keycloak team. A great deal of features in this release - really<br clear="none">>>>> like SAML and clustering.<br clear="none">>>>><br clear="none">>>>> But what I am really looking for is the next release as we need all the<br clear="none">>>>> features you listed -any tentative dates for the beta version?<br clear="none">>>><br clear="none">>>> We might do a beta soon, but that'll only include identity brokering. The<br clear="none">>>> other features will be at least a month away.<br clear="none">>>><br clear="none">>>>><br clear="none">>>>> The functionality provided so far seems to be targeted toward users<br clear="none">>>>> accounts.<br clear="none">>>>> When can we expect support for System accounts (with diff auth mechanisms<br clear="none">>>>> like certificates, Kerberos etc?<br clear="none">>>><br clear="none">>>> Some time this year we aim to have system accounts with certificates, it'll<br clear="none">>>> depend on priorities. We don't have any plans to support Kerberos<br clear="none">>>> authentication with system accounts, but maybe that makes sense to add as<br clear="none">>>> well.<br clear="none">>>><br clear="none">>>><br clear="none">>>><br clear="none">>>>><br clear="none">>>>> Thanks,<br clear="none">>>>> Raghu<br clear="none">>>>><br clear="none">>>>> Sent from my iPhone<br clear="none">>>>><br clear="none">>>>>> On Jan 29, 2015, at 2:11 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com" shape="rect" ymailto="mailto:stian@redhat.com">stian@redhat.com</a>> wrote:<br clear="none">>>>>><br clear="none">>>>>> The Keycloak team is proud to announce the release of Keycloak<br clear="none">>>>>> 1.1.0.Final.<br clear="none">>>>>> Highlights in this release includes:<br clear="none">>>>>><br clear="none">>>>>> * SAML 2.0<br clear="none">>>>>> * Clustering<br clear="none">>>>>> * Jetty, Tomcat and Fuse adapters<br clear="none">>>>>> * HTTP Security Proxy<br clear="none">>>>>> * Automatic migration of db schema<br clear="none">>>>>><br clear="none">>>>>> We’re already started working on features for the next release. Some<br clear="none">>>>>> exiting features coming soon includes:<br clear="none">>>>>><br clear="none">>>>>> * Identity brokering<br clear="none">>>>>> * Custom user profiles<br clear="none">>>>>> * Kerberos<br clear="none">>>>>> * OpenID Connect interop<br clear="none">>>>>><br clear="none">>>>>> _______________________________________________<br clear="none">>>>>> keycloak-user mailing list<br clear="none">>>>>> <a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none">>>>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" shape="rect">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none">>>><br clear="none">>>><br clear="none">><br clear="none">> _______________________________________________<br clear="none">> keycloak-user mailing list<br clear="none">> <a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none">> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" shape="rect">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br clear="none">><br clear="none"><br clear="none">-- <br clear="none">Bill Burke<br clear="none">JBoss, a division of Red Hat<br clear="none"><a href="http://bill.burkecentral.com/" target="_blank" shape="rect">http://bill.burkecentral.com</a><div class="qtdSeparateBR"><br><br></div><div class="yqt4918247891" id="yqtfd78819"><br clear="none">_______________________________________________<br clear="none">keycloak-user mailing list<br clear="none"><a href="mailto:keycloak-user@lists.jboss.org" shape="rect" ymailto="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br clear="none"><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank" shape="rect">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div><br><br></div> </div> </div> </div></body></html>