I can get the Kerberos ticket I need when the KerberosUsernamePasswordAuthenticator performs a User/Password validation. I have validated that the ticket can be used for IBM EIM(Enterprise Identity Mapping) public Subject authenticateSubject(String username, String password) throws LoginException { String principal = getKerberosPrincipal(username); logger.debug("Validating password of principal: " + principal); loginContext = new LoginContext("does-not-matter", null, createJaasCallbackHandler(principal, password), createJaasConfiguration()); loginContext.login(); logger.debug("Principal " + principal + " authenticated succesfully"); Subject subject = loginContext.getSubject(); serializeKerberosTicket(subject); return subject; } private void serializeKerberosTicket(Subject subject) { Optional<KerberosTicket> kerbTicket = subject.getPrivateCredentials(KerberosTicket.class).stream().findFirst(); if (kerbTicket.isPresent()) { try { ByteArrayOutputStream bos = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(bos); oos.writeObject(kerbTicket.get()); String serializedKerberosTicket = Base64.encodeBytes(bos.toByteArray()); // TODO add as a claim } catch (IOException e) { logger.debug("Kerberos Ticket Serialize failed", e); } } else { logger.debug("Kerberos Ticket was not found in Subject"); } } I tried to follow the SPNEGOAuthenticator but I got lost. Is there an easy place to put the String serializedKerberosTicket so it will be added as a claim?