2:07 p.m.
+1
GSSCredential is used just during SPNEGO authentication. You may
possibly change the built-in authentication flows or userStorage
provider, so that after verification with username/password, the
GSSCredential will be somehow obtained from the JAAS Subject used for
the authentication (See class KerberosUsernamePasswordAuthenticator for
the details).
However I am not sure if this is really possible and it will require
some more deep-dive into the Keycloak codebase and Kerberos
implementation in JDK... Just a hint...
Marek
On 28/01/2019 07:21, Dmitry Telegin wrote:
Hello Chris,
AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's
possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP
authentication.
Cheers,
Dmitry
On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
> Does anyone have feedback about getting a delegated GSSCredential?
>
> -----Original Message-----
>> From: keycloak-user-bounces(a)lists.jboss.org
<keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Chris Smith
> Sent: Wednesday, January 23, 2019 10:12 PM
> To: keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active
Directory domain
>
> Here is a Diagram of what I'm trying to do
>
> From: Chris Smith
> Sent: Wednesday, January 23, 2019 8:08 AM
>>> To: 'keycloak-user(a)lists.jboss.org'
<keycloak-user(a)lists.jboss.org>
> Subject: Get a GSSCredential when user browser is not in Active Directory domain
>
> I have setup my servlet to authenticate a user my web app using Keycloak Active
Directory ldap user federation
>
> I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a
workstation in the AD domain.
> When the browser workstation is not a member of the AD Domain, Keycloak will
authenticate the user id and password entered on the keycloak login page, but there will
not be a Delegated GSSCredential in the Access Token in my servlet.
>
> I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400)
and JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active
Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
>
> Less than 1% of the users will be using browsers on workstations in the Active
Directory domain.
>
> Can Keycloak put a GSSCredential for the logged in user in the Access Token when
SPNEGO is not available from the browser?
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user