I originally asked this on the user list but I'm making a change to Federation.
I had asked on the dev list earlier about this on the dev as I started to see how this
would work
I got the Kerberos Ticket and serialized it to a Base 64 string. it deserializes to a
GSSCredential
Now I have to put the Base 64 token into the access token
Any guidance?
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
On Behalf Of Chris Smith
Sent: Thursday, February 7, 2019 2:17 AM
To: Marek Posolda <mposolda(a)redhat.com>; Dmitry Telegin <dt(a)acutus.pro>;
keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active
Directory domain
So I made a small addition and stepped through the authenticate method
public Subject authenticateSubject(String username, String password) throws
LoginException {
String principal = getKerberosPrincipal(username);
logger.debug("Validating password of principal: " + principal);
loginContext = new LoginContext("does-not-matter", null,
createJaasCallbackHandler(principal, password),
createJaasConfiguration());
loginContext.login();
logger.debug("Principal " + principal + " authenticated
succesfully");
** Subject subject = loginContext.getSubject();
** for (KerberosTicket ticket :
subject.getPrivateCredentials(KerberosTicket.class)) {
** System.out.println(ticket.getClient().getName());
** }
return loginContext.getSubject();
}
The subject that is gotten from the loginContext has one KerberosTicket private
credential
Googling has not given me any insight on where I go from here.
Do you have any suggestions?
-----Original Message-----
From: Marek Posolda <mposolda(a)redhat.com>
Sent: Tuesday, January 29, 2019 4:07 AM
To: Dmitry Telegin <dt(a)acutus.pro>; Chris Smith
<chris.smith(a)cmfirstgroup.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active
Directory domain
+1
GSSCredential is used just during SPNEGO authentication. You may possibly change the
built-in authentication flows or userStorage provider, so that after verification with
username/password, the GSSCredential will be somehow obtained from the JAAS Subject used
for the authentication (See class KerberosUsernamePasswordAuthenticator for the details).
However I am not sure if this is really possible and it will require some more deep-dive
into the Keycloak codebase and Kerberos implementation in JDK... Just a hint...
Marek
On 28/01/2019 07:21, Dmitry Telegin wrote:
Hello Chris,
AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's
possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP
authentication.
Cheers,
Dmitry
On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
> Does anyone have feedback about getting a delegated GSSCredential?
>
> -----Original Message-----
>> From: keycloak-user-bounces(a)lists.jboss.org
>> <keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Chris Smith
> Sent: Wednesday, January 23, 2019 10:12 PM
> To: keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
> not in Active Directory domain
>
> Here is a Diagram of what I'm trying to do
>
> From: Chris Smith
> Sent: Wednesday, January 23, 2019 8:08 AM
>>> To: 'keycloak-user(a)lists.jboss.org'
<keycloak-user(a)lists.jboss.org>
> Subject: Get a GSSCredential when user browser is not in Active
> Directory domain
>
> I have setup my servlet to authenticate a user my web app using
> Keycloak Active Directory ldap user federation
>
> I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a
workstation in the AD domain.
> When the browser workstation is not a member of the AD Domain, Keycloak will
authenticate the user id and password entered on the keycloak login page, but there will
not be a Delegated GSSCredential in the Access Token in my servlet.
>
> I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400)
and JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active
Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
>
> Less than 1% of the users will be using browsers on workstations in the Active
Directory domain.
>
> Can Keycloak put a GSSCredential for the logged in user in the Access Token when
SPNEGO is not available from the browser?
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user