Re: [keycloak-user] Valid Sender ? - Re: Authentication fails for OTP user with kerberos
Marek Posolda <mposolda(a)redhat.com> writes:
The integration with FreeIPA is suppose to use SSSD userStorage
provider. Have few questions to clarify:
1. If you have SSSD provider and your user doesn't have kerberos
ticket, is Keycloak authentication work for both password-only and
password+otp users?
Yes, that is correct.
2. If you have SSSD provider and your user has kerberos ticket, are
you able to authenticate with Kerberos+SPNEGO?
No, I'm not able to connect with Kerberos. I did the following:
- I created a new realm "sso"
- There is one User Federation "sssd"
- In the SSSD provider /etc/sssd/sssd.conf:
[ifp]
allowed_uids = root, keycloak
user_attributes = +mail, +telephoneNumber, +givenname, +sn
- Under Authentication -> Flows I've added "Kerberos" as
"Alternative"
to the browser flow.
- When I open https://saml.example.org/auth/realms/sso/account/ I'll see
in server.log:
2018-01-17 22:37:02,825 WARN
[org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator] (default task-4)
Received kerberos token, but there is no user storage provider that handles kerberos
credentials.
I'm not logged in, but can authenticate with password+OTP.
As far as I understood, only Kerberos and LDAP user storage can handle
kerberos authentication. I also tried to have to user federations (sssd
and kerberos), but I only got one to work in the realm.
Jochen
--
This space is intentionally left blank.