1:58 a.m.
Thanks for clarification. Feel free to create JIRA for your scenario -
also please link it with this email thread.
I am not yet sure how exactly to support your scenario. We may need to
look what FreeIPA is doing for web authentications. I think the proper
way to have this working might be through SSSD provider. But that one
doesn't support Kerberos in Keycloak right now. From the long term
perspective, we may need to move Kerberos configurations (keytab etc)
from the federation provider to the SPNEGOAuthenticator. This will
remove the limit that Kerberos/SPNEGO authentication is currently
tightly coupled just with LDAP+Kerberos federation providers and will
help with some other usecases. On the other hand, proper way to have
SPNEGO working might be different for SSSD integration - maybe not using
Keytab etc, but doing it through GSS Proxy. But not 100% sure... Will
require more investigation...
Marek
On 17/01/18 22:48, Jochen Hein wrote:
Marek Posolda <mposolda(a)redhat.com> writes:
> The integration with FreeIPA is suppose to use SSSD userStorage
> provider. Have few questions to clarify:
>
> 1. If you have SSSD provider and your user doesn't have kerberos
> ticket, is Keycloak authentication work for both password-only and
> password+otp users?
Yes, that is correct.
> 2. If you have SSSD provider and your user has kerberos ticket, are
> you able to authenticate with Kerberos+SPNEGO?
No, I'm not able to connect with Kerberos. I did the following:
- I created a new realm "sso"
- There is one User Federation "sssd"
- In the SSSD provider /etc/sssd/sssd.conf:
[ifp]
allowed_uids = root, keycloak
user_attributes = +mail, +telephoneNumber, +givenname, +sn
- Under Authentication -> Flows I've added "Kerberos" as
"Alternative"
to the browser flow.
- When I open https://saml.example.org/auth/realms/sso/account/ I'll see
in server.log:
2018-01-17 22:37:02,825 WARN
[org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator] (default task-4)
Received kerberos token, but there is no user storage provider that handles kerberos
credentials.
I'm not logged in, but can authenticate with password+OTP.
As far as I understood, only Kerberos and LDAP user storage can handle
kerberos authentication. I also tried to have to user federations (sssd
and kerberos), but I only got one to work in the realm.
Jochen